From b0ee57c4d2a5da7eb8141a3b3207d6a5e1d365aa Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 7 Feb 2024 11:37:37 +0000 Subject: [PATCH 1/2] allow waf users to build without dos repo access (#5041) --- build/Dockerfile | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 26dc19113b..50eb44338d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -145,10 +145,16 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ --mount=type=bind,from=nginx-files,src=debian-plus-11.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \ - --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/etc/apt/sources.list.d/app-protect.sources \ - --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/etc/apt/sources.list.d/app-protect-dos.sources \ + --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/tmp/app-protect.sources \ + --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/tmp/app-protect-dos.sources \ ## the code below is duplicated from the debian-plus image because NAP doesn't support debian 12 - apt-get update \ + if [ -z "${NAP_MODULES##*waf*}" ]; then \ + cp /tmp/app-protect.sources /etc/apt/sources.list.d/app-protect.sources; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + cp /tmp/app-protect-dos.sources /etc/apt/sources.list.d/app-protect-dos.sources; \ + fi \ + && apt-get update \ && apt-get upgrade -y \ && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates sq \ && groupadd --system --gid 101 nginx \ @@ -169,6 +175,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig \ ## end of duplicated code + && if [ -z "${NAP_MODULES##*waf*}" ]; then \ + rm -f /etc/apt/sources.list.d/app-protect.sources; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + rm -f /etc/apt/sources.list.d/app-protect-dos.sources; \ + fi \ && rm -rf /var/lib/apt/lists/* # Uncomment the lines below if you want to install a custom CA certificate @@ -205,11 +217,17 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx-plus-8.repo,target=/etc/yum.repos.d/nginx-plus.repo,rw \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ - --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/etc/yum.repos.d/app-protect-8.repo \ - --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/etc/yum.repos.d/app-protect-dos-8.repo \ + --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/tmp/app-protect-8.repo \ + --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/tmp/app-protect-dos-8.repo \ source /tmp/rhel_license \ - ## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI 9 and minimal versions - dnf --nodocs install -y shadow-utils ca-certificates \ + && if [ -z "${NAP_MODULES##*waf*}" ]; then \ + cp /tmp/app-protect-8.repo /etc/yum.repos.d/app-protect-8.repo; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + cp /tmp/app-protect-dos-8.repo /etc/yum.repos.d/app-protect-dos-8.repo; \ + fi \ + ## the code below is duplicated from the ubi-plus image because NAP DOS doesn't support UBI 9 and minimal versions + && dnf --nodocs install -y shadow-utils ca-certificates \ && dnf update -y \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ @@ -233,6 +251,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode # fix for CVEs && dnf upgrade -y curl ncurses \ && subscription-manager unregister \ + && if [ -z "${NAP_MODULES##*waf*}" ]; then \ + rm -f /etc/yum.repos.d/app-protect-8.repo; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + rm -f /etc/yum.repos.d/app-protect-dos-8.repo; \ + fi \ && dnf clean all # Uncomment the lines below if you want to install a custom CA certificate From 879c563d8f6ea7e704fbcd9619a60205edf1bb13 Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Thu, 21 Dec 2023 14:39:46 +0000 Subject: [PATCH 2/2] fix new lines in snippets (#4832) * fix new lines in snippets * add test for server snippet new lines * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .../configs/version2/nginx-plus.transportserver.tmpl | 6 +++--- internal/configs/version2/nginx-plus.virtualserver.tmpl | 6 +++--- internal/configs/version2/nginx.transportserver.tmpl | 4 ++-- internal/configs/version2/nginx.virtualserver.tmpl | 6 +++--- .../data/transport-server/transport-server-snippets.yaml | 5 ++++- tests/suite/test_transport_server.py | 9 +++++---- 6 files changed, 20 insertions(+), 16 deletions(-) diff --git a/internal/configs/version2/nginx-plus.transportserver.tmpl b/internal/configs/version2/nginx-plus.transportserver.tmpl index b3d59172d4..f3e47b3a42 100644 --- a/internal/configs/version2/nginx-plus.transportserver.tmpl +++ b/internal/configs/version2/nginx-plus.transportserver.tmpl @@ -18,8 +18,8 @@ upstream {{ $u.Name }} { {{- end }} {{- range $snippet := .StreamSnippets }} -{{- $snippet }} -{{ end }} +{{ $snippet }} +{{- end }} {{ with $m := .Match }} match {{ $m.Name }} { @@ -60,7 +60,7 @@ server { {{- end }} {{- range $snippet := $s.ServerSnippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} proxy_pass {{ $s.ProxyPass }}; diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index b8c2ba27da..2f6a3faa59 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -48,7 +48,7 @@ map {{ $m.Source }} {{ $m.Variable }} { {{- end }} {{- range $snippet := .HTTPSnippets }} -{{- $snippet }} +{{ $snippet }} {{- end }} {{- range $z := .LimitReqZones }} @@ -286,7 +286,7 @@ server { {{- end }} {{- range $snippet := $s.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- range $l := $s.InternalRedirectLocations }} @@ -351,7 +351,7 @@ server { internal; {{- end }} {{- range $snippet := $l.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- with $l.PoliciesErrorReturn }} diff --git a/internal/configs/version2/nginx.transportserver.tmpl b/internal/configs/version2/nginx.transportserver.tmpl index 901def05fa..15f0a97fd0 100644 --- a/internal/configs/version2/nginx.transportserver.tmpl +++ b/internal/configs/version2/nginx.transportserver.tmpl @@ -14,7 +14,7 @@ upstream {{ $u.Name }} { {{- end }} {{- range $snippet := .StreamSnippets }} -{{- $snippet }} +{{ $snippet }} {{- end }} {{- $s := .Server }} @@ -42,7 +42,7 @@ server { {{- end }} {{- range $snippet := $s.ServerSnippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} proxy_pass {{ $s.ProxyPass }}; diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl index 6469634d59..da6fa1985a 100644 --- a/internal/configs/version2/nginx.virtualserver.tmpl +++ b/internal/configs/version2/nginx.virtualserver.tmpl @@ -32,7 +32,7 @@ map {{ $m.Source }} {{ $m.Variable }} { {{- end }} {{- range $snippet := .HTTPSnippets }} -{{- $snippet }} +{{ $snippet }} {{- end }} {{- range $z := .LimitReqZones }} @@ -166,7 +166,7 @@ server { {{- end }} {{- range $snippet := $s.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- range $l := $s.InternalRedirectLocations }} @@ -208,7 +208,7 @@ server { internal; {{- end }} {{- range $snippet := $l.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- with $l.PoliciesErrorReturn }} diff --git a/tests/data/transport-server/transport-server-snippets.yaml b/tests/data/transport-server/transport-server-snippets.yaml index ec3c58ba99..8665463603 100644 --- a/tests/data/transport-server/transport-server-snippets.yaml +++ b/tests/data/transport-server/transport-server-snippets.yaml @@ -4,7 +4,10 @@ metadata: name: transport-server spec: streamSnippets: limit_conn_zone $binary_remote_addr zone=addr:10m; - serverSnippets: limit_conn addr 1; + serverSnippets: | + limit_conn addr 1; + # a comment is allowed in snippets + add_header X-test-header "test-value"; listener: name: dns-tcp protocol: TCP diff --git a/tests/suite/test_transport_server.py b/tests/suite/test_transport_server.py index fa72fbd694..4af17653dc 100644 --- a/tests/suite/test_transport_server.py +++ b/tests/suite/test_transport_server.py @@ -55,10 +55,11 @@ def test_snippets( transport_server_setup.namespace, ) - assert ( - "limit_conn_zone $binary_remote_addr zone=addr:10m;" in conf # stream-snippets - and "limit_conn addr 1;" in conf # server-snippets - ) + conf_lines = [line.strip() for line in conf.split("\n")] + assert "limit_conn_zone $binary_remote_addr zone=addr:10m;" in conf_lines # stream-snippets on separate line + assert "limit_conn addr 1;" in conf_lines # server-snippets on separate line + assert "# a comment is allowed in snippets" in conf_lines # comments are allowed in server snippets + assert 'add_header X-test-header "test-value";' in conf_lines # new line in server-snippets on separate line def test_configurable_timeout_directives( self, kube_apis, crd_ingress_controller, transport_server_setup, ingress_controller_prerequisites