diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eb1440b8b3..84a1f0fd15 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,7 @@ on: push: branches: - master + - release-* paths-ignore: - 'docs/**' - 'examples/**' @@ -13,7 +14,7 @@ on: pull_request: branches: - master - - 'release-*' + - release-* paths-ignore: - 'docs/**' - 'examples/**' @@ -30,7 +31,7 @@ defaults: shell: bash env: - K8S_VERSION: 1.23.0 + K8S_VERSION: 1.23.1 K8S_TIMEOUT: 75s HELM_CHART_DIR: deployments/helm-chart GIT_NAME: NGINX Kubernetes Team @@ -165,7 +166,7 @@ jobs: {\"image\": \"opentracing-plus\", \"marker\": \"vsr\"}, \ {\"image\": \"ubi-plus\", \"marker\": \"policies\"}]}" else - echo "::set-output name=matrix::{\"k8s\": [\"1.19.11\", \"1.20.7\", \"1.21.2\", \"1.22.4\", \"1.23.0\"]}" + echo "::set-output name=matrix::{\"k8s\": [\"1.19.11\", \"1.20.7\", \"1.21.2\", \"1.22.4\", \"1.23.1\"]}" fi smoke-tests: @@ -291,13 +292,14 @@ jobs: name: Build Docker Images runs-on: ubuntu-20.04 needs: build-binaries + if: ${{ !startsWith(github.ref, 'refs/heads/release') }} strategy: matrix: image: [debian, alpine, opentracing, alpine-opentracing] platforms: ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] include: - image: ubi - platforms: "linux/arm64, linux/amd64" + platforms: "linux/arm64, linux/amd64, linux/s390x" steps: - name: Checkout Repository uses: actions/checkout@v2 @@ -343,7 +345,7 @@ jobs: nginx/nginx-ingress ghcr.io/nginxinc/kubernetes-ingress public.ecr.aws/nginx/nginx-ingress - flavor: suffix=${{ matrix.image == 'ubi' && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.image, 'opentracing') && '-ot' || '' }},onlatest=true + flavor: suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.image, 'opentracing') && '-ot' || '' }},onlatest=true tags: | type=edge type=ref,event=pr @@ -357,7 +359,7 @@ jobs: - name: Output Variables id: var run: | - version=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} + version=${{ steps.meta.outputs.version }} if ${{ startsWith(github.ref, 'refs/tags/') }}; then ic_version=v$version else @@ -366,7 +368,7 @@ jobs: ic_version=$tag-$version-$sha_short fi echo "::set-output name=ic_version::$ic_version" - - name: Build Docker images (and push to Dockerhub if not a PR) + - name: Build Docker image (and push if not a PR) uses: docker/build-push-action@v2 with: file: build/Dockerfile @@ -384,10 +386,135 @@ jobs: BUILD_OS=${{ matrix.image }} IC_VERSION=${{ steps.var.outputs.ic_version }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.2.0 + uses: aquasecurity/trivy-action@0.2.2 continue-on-error: true with: - image-ref: nginx/nginx-ingress:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} + image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }} + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-${{ matrix.image }}.sarif' + ignore-unfixed: 'true' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + continue-on-error: true + with: + sarif_file: 'trivy-results-${{ matrix.image }}.sarif' + - name: Upload Scan Results + uses: actions/upload-artifact@v2 + continue-on-error: true + with: + name: 'trivy-results-${{ matrix.image }}.sarif' + path: 'trivy-results-${{ matrix.image }}.sarif' + if: always() + + build-docker-plus: + name: Build Plus Docker Images + runs-on: ubuntu-20.04 + needs: build-binaries + strategy: + matrix: + image: [debian-plus, alpine-plus, opentracing-plus] + platforms: ["linux/arm64, linux/amd64"] + include: + - image: ubi-plus + platforms: "linux/arm64, linux/amd64, linux/s390x" + steps: + - name: Checkout Repository + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Fetch Cached Artifacts + uses: actions/cache@v2 + with: + path: ${{ github.workspace }}/dist + key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi + - name: Setup QEMU + uses: docker/setup-qemu-action@v1 + with: + platforms: arm64 + if: github.event_name != 'pull_request' + - name: Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: GCR Login + uses: docker/login-action@v1 + with: + registry: gcr.io + username: _json_key + password: ${{ secrets.GCR_JSON_KEY }} + if: github.event_name != 'pull_request' + + - name: Docker meta + id: meta + uses: docker/metadata-action@v3 + with: + images: | + ${{ startsWith(github.ref, 'refs/tags/') && 'gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress' || '' }} + ${{ startsWith(github.ref, 'refs/heads/release') && 'gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/staging/nginx-ic/nginx-plus-ingress' || '' }} + gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + flavor: suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.image, 'opentracing') && '-ot' || '' }},onlatest=true + tags: | + type=edge + type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + type=ref,event=pr + type=schedule,pattern={{date 'YYYYMMDD'}} + type=semver,pattern={{version}} + labels: | + org.opencontainers.image.description=NGINX Plus Ingress Controller for Kubernetes + org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller + org.opencontainers.image.vendor=NGINX Inc + + - name: Output Variables + id: var + run: | + version=${{ steps.meta.outputs.version }} + if ${{ startsWith(github.ref, 'refs/tags/') }}; then + ic_version=v$version + else + tag=$(git describe --tags --abbrev=0) + sha_short=$(echo ${{ github.sha }} | cut -c1-7) + ic_version=$tag-$version-$sha_short + fi + echo "::set-output name=ic_version::$ic_version" + - name: Build Plus Docker image + uses: docker/build-push-action@v2 + with: + file: build/Dockerfile + context: '.' + cache-from: type=gha,scope=${{ matrix.image }} + cache-to: type=gha,scope=${{ matrix.image }},mode=max + target: goreleaser + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: ${{ github.event_name != 'pull_request' && matrix.platforms || '' }} + load: ${{ github.event_name == 'pull_request' }} + push: ${{ github.event_name != 'pull_request' }} + pull: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=${{ startsWith(github.ref, 'refs/tags/') && steps.var.outputs.ic_version || 'CI' }} + secrets: | + "nginx-repo.crt=${{ secrets.NGINX_CRT }}" + "nginx-repo.key=${{ secrets.NGINX_KEY }}" + - name: Load image for Trivy + uses: docker/build-push-action@v2 + with: + file: build/Dockerfile + context: '.' + cache-from: type=gha,scope=${{ matrix.image }} + target: goreleaser + tags: docker.io/${{ matrix.image }}:${{ steps.meta.outputs.version }} + load: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=CI + secrets: | + "nginx-repo.crt=${{ secrets.NGINX_CRT }}" + "nginx-repo.key=${{ secrets.NGINX_KEY }}" + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.2.2 + continue-on-error: true + with: + image-ref: docker.io/${{ matrix.image }}:${{ steps.meta.outputs.version }} format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results-${{ matrix.image }}.sarif' @@ -412,7 +539,7 @@ jobs: outputs: version: ${{ steps.var.outputs.helm_version }} type: ${{ steps.var.outputs.helm_type }} - if: github.event_name == 'push' + if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/heads/release') }} steps: - name: Checkout Repository uses: actions/checkout@v2 @@ -442,7 +569,7 @@ jobs: name: Release Helm Chart runs-on: ubuntu-20.04 needs: package-helm - if: github.event_name == 'push' + if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/heads/release') }} steps: - name: Checkout Repository uses: actions/checkout@v2 diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index ffd1ffe408..d6b4fd85bd 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -33,7 +33,7 @@ All images include NGINX 1.21.5. |Alpine-based image with OpenTracing | ``nginx:1.21.5-alpine``, which is based on ``alpine:3.15`` | NGINX OpenTracing module, OpenTracing library, OpenTracing tracers for Jaeger, Zipkin and Datadog | ``nginx/nginx-ingress:2.1.0-alpine-ot`` | arm/v7, arm64, amd64, ppc64le, s390x | |Debian-based image | ``nginx:1.21.5``, which is based on ``debian:bullseye-slim`` | | ``nginx/nginx-ingress:2.1.0`` | arm/v7, arm64, amd64, ppc64le, s390x | |Debian-based image with OpenTracing | ``nginx:1.21.5``, which is based on ``debian:bullseye-slim`` | NGINX OpenTracing module, OpenTracing library, OpenTracing tracers for Jaeger, Zipkin and Datadog | ``nginx/nginx-ingress:2.1.0-ot`` | arm/v7, arm64, amd64, ppc64le, s390x | -|Ubi-based image | ``redhat/ubi8-minimal`` | | ``nginx/nginx-ingress:2.1.0-ubi`` | arm64, amd64 | +|Ubi-based image | ``redhat/ubi8-minimal`` | | ``nginx/nginx-ingress:2.1.0-ubi`` | arm64, amd64, s390x | {{% /table %}} ### Images with NGINX Plus