diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 1070d93076..9d5d96abb7 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -56,15 +56,6 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.branch }} - fetch-depth: 0 - - - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - with: - platforms: arm,arm64,ppc64le,s390x - - - name: Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Authenticate to Google Cloud id: auth @@ -104,16 +95,29 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Check if base images exist - id: base_exists + - name: Check if images exist + id: images_exist run: | base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }}" echo "image=${base_image}" >> $GITHUB_OUTPUT if docker manifest inspect ${base_image}; then - echo "exists=true" >> $GITHUB_OUTPUT + echo "base_exists=true" >> $GITHUB_OUTPUT + fi + if docker manifest inspect ${{ steps.meta.outputs.tags }}; then + echo "target_exists=true" >> $GITHUB_OUTPUT fi if: ${{ inputs.authenticated && ! inputs.full-build }} + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + + - name: Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + - name: Build Base Container uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: @@ -121,7 +125,7 @@ jobs: context: "." cache-to: type=gha,scope=${{ inputs.image }},mode=max target: common - tags: ${{ steps.base_exists.outputs.image }} + tags: ${{ steps.images_exist.outputs.image }} platforms: ${{ inputs.platforms }} pull: true push: true @@ -129,23 +133,14 @@ jobs: build-args: | BUILD_OS=${{ inputs.image }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} - if: ${{ inputs.authenticated && steps.base_exists.outputs.exists != 'true' }} - - - name: Check if target image exists - id: target_exists - run: | - if docker pull ${{ steps.meta.outputs.tags }}; then - echo "exists=true" >> $GITHUB_OUTPUT - fi - if: ${{ inputs.authenticated && ! inputs.full-build }} + if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }} - name: Debug values run: | echo "authenticated: ${{ inputs.authenticated }}" - echo "base_exists: ${{ steps.base_exists.outputs.exists }}" - echo "target_exists: ${{ steps.target_exists.outputs.exists }}" + echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}" + echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}" echo "full-build: ${{ inputs.full-build }}" - echo "all: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}" - name: Fetch Cached Artifacts uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 @@ -153,7 +148,7 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ inputs.go-md5 }} fail-on-cache-miss: true - if: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 @@ -175,9 +170,9 @@ jobs: provenance: false build-args: | BUILD_OS=${{ inputs.image }} - ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image) }} + ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image) }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} - if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Make directory for security scan results run: | diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 175266c1ff..342a6e07fd 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -58,15 +58,6 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.branch }} - fetch-depth: 0 - - - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - with: - platforms: arm64,s390x - - - name: Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Authenticate to Google Cloud id: auth @@ -109,16 +100,29 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Check if base images exist - id: base_exists + - name: Check if images exist + id: images_exist run: | base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}" echo "image=${base_image}" >> $GITHUB_OUTPUT - if docker pull ${base_image}; then - echo "exists=true" >> $GITHUB_OUTPUT + if docker manifest inspect ${base_image}; then + echo "base_exists=true" >> $GITHUB_OUTPUT + fi + if docker manifest inspect ${{ steps.meta.outputs.tags }}; then + echo "target_exists=true" >> $GITHUB_OUTPUT fi if: ${{ inputs.authenticated && ! inputs.full-build }} + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + + - name: Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + - name: Build Base Container uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: @@ -126,7 +130,7 @@ jobs: context: "." cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max target: common - tags: ${{ steps.base_exists.outputs.image }} + tags: ${{ steps.images_exist.outputs.image }} platforms: ${{ inputs.platforms }} pull: true push: true @@ -139,23 +143,14 @@ jobs: "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ inputs.authenticated && steps.base_exists.outputs.exists != 'true' }} - - - name: Check if target image exists - id: target_exists - run: | - if docker pull ${{ steps.meta.outputs.tags }}; then - echo "exists=true" >> $GITHUB_OUTPUT - fi - if: ${{ inputs.authenticated && ! inputs.full-build }} + if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }} - name: Debug values run: | echo "authenticated: ${{ inputs.authenticated }}" - echo "base_exists: ${{ steps.base_exists.outputs.exists }}" - echo "target_exists: ${{ steps.target_exists.outputs.exists }}" + echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}" + echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}" echo "full-build: ${{ inputs.full-build }}" - echo "all: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}" - name: Fetch Cached Artifacts uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 @@ -163,7 +158,7 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ inputs.go-md5 }} fail-on-cache-miss: true - if: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 @@ -185,7 +180,7 @@ jobs: provenance: false build-args: | BUILD_OS=${{ inputs.image }} - ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image ) }} + ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image ) }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} @@ -194,7 +189,7 @@ jobs: "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Make directory for security scan results run: | diff --git a/build/Dockerfile b/build/Dockerfile index 9f26dccd94..c0f45b1ed9 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -10,12 +10,12 @@ ARG WAF_VERSION=v4 ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0@sha256:d9f6f930b7bfcc026785aca49fdb96fbecdc517ebbdb893f6393ac78b247c8fb as opentracing-lib -FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c76384a775316c541995b145d4cef86d529934951319fd127f4d4fdb9ef7 as alpine-opentracing-lib -FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 as alpine-fips-3.17 -FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc as alpine-fips-3.19 +FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0@sha256:d9f6f930b7bfcc026785aca49fdb96fbecdc517ebbdb893f6393ac78b247c8fb AS opentracing-lib +FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c76384a775316c541995b145d4cef86d529934951319fd127f4d4fdb9ef7 AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17 +FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal -FROM golang:1.22-alpine@sha256:32c85006b1edf29c097514e0c81a33334aa1450685a885c10657ec756dbb7703 as golang-builder +FROM golang:1.22-alpine@sha256:32c85006b1edf29c097514e0c81a33334aa1450685a885c10657ec756dbb7703 AS golang-builder ############################################# Base image for Alpine ############################################# @@ -57,7 +57,7 @@ COPY --link --chown=101:0 LICENSE /licenses/ ############################################# NGINX files for NGINX Plus ############################################# -FROM scratch as nginx-files +FROM scratch AS nginx-files ARG IC_VERSION ARG BUILD_OS ARG NGINX_PLUS_VERSION @@ -97,7 +97,7 @@ ADD --link --chown=101:0 --chmod=0755 build/scripts/agent.sh agent.sh ############################################# Patch Image ############################################# -FROM ${IMAGE_NAME} as patched +FROM ${IMAGE_NAME} AS patched ARG IMAGE_NAME ARG IC_VERSION @@ -112,7 +112,7 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 as alpine-plus +FROM alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 AS alpine-plus ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -131,7 +131,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ ############################################# Base image for Alpine with NGINX Plus and FIPS ############################################# -FROM alpine-plus as alpine-plus-fips +FROM alpine-plus AS alpine-plus-fips ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -144,7 +144,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# -FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc as alpine-plus-nap-fips +FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -180,7 +180,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAFv5 and FIPS ############################################# -FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc as alpine-plus-nap-v5-fips +FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-v5-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -242,7 +242,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS ############################################# -FROM debian-plus as debian-plus-nap +FROM debian-plus AS debian-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -286,7 +286,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && if [ -z "${NAP_MODULES##*dos*}" ]; then nap-dos.sh; fi ############################################# Base image for Debian with NGINX Plus and App Protect WAFv5/DoS ############################################# -FROM debian-plus as debian-plus-nap-v5 +FROM debian-plus AS debian-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -338,7 +338,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF ############################################# -FROM ubi-minimal as ubi-9-plus-nap +FROM ubi-minimal AS ubi-9-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -382,7 +382,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 ############################################# -FROM ubi-minimal as ubi-9-plus-nap-v5 +FROM ubi-minimal AS ubi-9-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -427,7 +427,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF & DoS ############################################# -FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d as ubi-8-plus-nap +FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -491,7 +491,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 ############################################# -FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d as ubi-8-plus-nap-v5 +FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -539,7 +539,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Create common files, permissions and setcap ############################################# -FROM ${BUILD_OS} as common +FROM ${BUILD_OS} AS common ARG BUILD_OS ARG IC_VERSION @@ -773,9 +773,9 @@ USER 101 ############################################# Create image with nginx-ingress extracted from image on Docker Hub ############################################# -FROM nginx/nginx-ingress:${DOWNLOAD_TAG} as kic +FROM nginx/nginx-ingress:${DOWNLOAD_TAG} AS kic -FROM common as download +FROM common AS download LABEL org.nginx.kic.image.build.version="binaries"