diff --git a/.github/workflows/edge.yml b/.github/workflows/edge.yml index 945a58cc05..4bbb555668 100644 --- a/.github/workflows/edge.yml +++ b/.github/workflows/edge.yml @@ -100,12 +100,9 @@ jobs: runs-on: ubuntu-20.04 needs: binary strategy: + fail-fast: false matrix: image: [debian, alpine, opentracing, ubi] - ubi_version: ["8"] - include: - - image: ubi - ubi_version: 7 steps: - name: Checkout Repository uses: actions/checkout@v2 @@ -140,7 +137,6 @@ jobs: build-args: | BUILD_OS=${{ matrix.image }} NGINX_VERSION=${{ steps.commit.outputs.nginx_version }} - UBI_VERSION=${{ matrix.ubi_version }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -165,6 +161,7 @@ jobs: runs-on: ubuntu-20.04 needs: [binary, unit-tests] strategy: + fail-fast: false matrix: include: - image: debian @@ -328,6 +325,7 @@ jobs: needs: [smoke-tests, helm-tests] if: github.event_name == 'push' && github.ref == 'refs/heads/master' strategy: + fail-fast: false matrix: include: - tag: edge diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 76e799c900..09e2f7cc35 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,6 +60,7 @@ jobs: runs-on: ubuntu-20.04 needs: [binary] strategy: + fail-fast: false matrix: include: - tag: ${{ needs.binary.outputs.version }} diff --git a/Makefile b/Makefile index 1b513c1b0e..e3513ef05b 100644 --- a/Makefile +++ b/Makefile @@ -86,7 +86,7 @@ openshift-image-plus: build ## Create Docker image for Ingress Controller (ubi w .PHONY: openshift-image-nap-plus openshift-image-nap-plus: build ## Create Docker image for Ingress Controller (ubi with plus and nap) - $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg FILES=nap-common --build-arg UBI_VERSION=7 + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg FILES=nap-common .PHONY: debian-image-opentracing debian-image-opentracing: build ## Create Docker image for Ingress Controller (with opentracing) diff --git a/build/Dockerfile b/build/Dockerfile index 5e60012d74..071df6bfc7 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,7 +1,6 @@ # syntax=docker/dockerfile:1.2 ARG BUILD_OS=debian ARG NGINX_PLUS_VERSION=r26 -ARG UBI_VERSION=8 ARG FILES= ARG DEBIAN_VERSION=bullseye-slim @@ -81,18 +80,9 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode # RUN update-ca-certificates -############################################# Base image for UBI 8 ############################################# -FROM redhat/ubi8-minimal AS ubi-base-8 - - -############################################# Base image for UBI 7 ############################################# -FROM registry.access.redhat.com/ubi7/ubi AS ubi-base-7 - -RUN yum install -y microdnf - - ############################################# Base image for UBI ############################################# -FROM ubi-base-${UBI_VERSION} AS ubi-base +FROM redhat/ubi8 AS ubi-base +ARG IC_VERSION SHELL ["/bin/bash", "-o", "pipefail", "-c"] LABEL name="NGINX Ingress Controller" \ @@ -105,7 +95,9 @@ LABEL name="NGINX Ingress Controller" \ io.k8s.description="The NGINX Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift" -RUN microdnf --nodocs install -y shadow-utils ca-certificates \ +RUN dnf --nodocs install -y shadow-utils ca-certificates \ + # temporary fix for CVE-2022-24407 + && dnf --nodocs install -y cyrus-sasl-lib \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx @@ -121,7 +113,7 @@ RUN rpm --import https://nginx.org/keys/nginx_signing.key \ && printf "%s\n" "[nginx]" "name=nginx repo" \ "baseurl=https://nginx.org/packages/mainline/centos/${version}/\$basearch/" \ "gpgcheck=1" "enabled=1" "module_hotfixes=true" > /etc/yum.repos.d/nginx.repo \ - && microdnf --nodocs install -y nginx-${NGINX_VERSION} \ + && dnf --nodocs install -y nginx-${NGINX_VERSION} \ && rm /etc/yum.repos.d/nginx.repo @@ -132,8 +124,8 @@ ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \ - && curl -sS "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \ - && microdnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION} nginx-plus-module-njs-${NGINX_PLUS_VERSION} + && curl -fsSL "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \ + && dnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION} nginx-plus-module-njs-${NGINX_PLUS_VERSION} ############################################# Base image for UBI with NGINX Plus and App Protect ############################################# @@ -143,16 +135,16 @@ ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \ - set -x \ - && source /tmp/rhel_license \ - && curl -sS https://cs.nginx.com/static/files/app-protect-7.repo > /etc/yum.repos.d/app-protect-7.repo \ + source /tmp/rhel_license \ && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \ - && subscription-manager attach --auto \ - && subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms \ - && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \ - && yum clean all \ - && yum install -y nginx-plus-module-appprotect-${NGINX_PLUS_VERSION} $(repoquery app-protect-${NGINX_PLUS_VERSION#r}*) app-protect-attack-signatures app-protect-threat-campaigns \ - && rm /etc/yum.repos.d/app-protect-7.repo + && subscription-manager attach \ + && dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \ + && dnf --nodocs install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ + && curl -fsSL https://cs.nginx.com/static/files/app-protect-8.repo > /etc/yum.repos.d/app-protect-8.repo \ + && dnf --nodocs install -y app-protect-${NGINX_PLUS_VERSION#r}* app-protect-attack-signatures app-protect-threat-campaigns \ + && rm /etc/yum.repos.d/app-protect*.repo \ + && subscription-manager unregister \ + && dnf clean all && rm -rf /var/cache/dnf # Uncomment the lines below if you want to install a custom CA certificate # COPY build/*.crt /etc/pki/ca-trust/source/anchors/ diff --git a/docs-web/technical-specifications.md b/docs-web/technical-specifications.md index 83c85ed9ac..88f3191dd4 100644 --- a/docs-web/technical-specifications.md +++ b/docs-web/technical-specifications.md @@ -38,7 +38,7 @@ The supported architecture is x86-64. - NGINX OpenTracing module, OpenTracing library, OpenTracing tracers for Jaeger, Zipkin and Datadog - * - Ubi-based image - - ``redhat/ubi8-minimal`` + - ``redhat/ubi8`` - - ``nginx/nginx-ingress:1.12.3-ubi`` ``` @@ -67,13 +67,13 @@ NGINX Plus images are not available through DockerHub. - ``debian:bullseye-slim`` - NGINX Plus OpenTracing module, OpenTracing tracers for Jaeger, Zipkin and Datadog * - Ubi-based image - - ``redhat/ubi8-minimal`` + - ``redhat/ubi8`` - * - Debian-based image with App Protect - ``debian:buster-slim`` - NGINX Plus App Protect module * - Ubi-based image with App Protect - - ``registry.access.redhat.com/ubi7/ubi`` + - ``redhat/ubi8`` - NGINX Plus App Protect module ```