github.com/nginxinc/kubernetes-ingress@v1.12.5/build/Dockerfile (about) 1 # syntax=docker/dockerfile:1.2 2 ARG BUILD_OS=debian 3 ARG NGINX_PLUS_VERSION=r27 4 ARG FILES= 5 ARG DEBIAN_VERSION=bullseye-slim 6 7 ############################################# Base image for Debian ############################################# 8 FROM nginx:1.23.2 AS debian 9 10 RUN apt-get update \ 11 && apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \ 12 && rm -rf /var/lib/apt/lists/* 13 14 15 ############################################# Base image for Alpine ############################################# 16 FROM nginx:1.23.2-alpine AS alpine 17 18 RUN apk add --no-cache libcap 19 20 21 ############################################# Base image for Alpine with NGINX Plus ############################################# 22 FROM alpine:3.16 as alpine-plus 23 ARG NGINX_PLUS_VERSION 24 25 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ 26 --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ 27 wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ 28 && printf "%s\n" "https://pkgs.nginx.com/plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ 29 && apk add --no-cache libcap nginx-plus~${NGINX_PLUS_VERSION#r} nginx-plus-module-njs~${NGINX_PLUS_VERSION#r} 30 31 32 ############################################# Base image for Debian with NGINX Plus ############################################# 33 FROM debian:${DEBIAN_VERSION} AS debian-plus 34 ARG IC_VERSION 35 ARG NGINX_PLUS_VERSION 36 ARG BUILD_OS 37 38 SHELL ["/bin/bash", "-o", "pipefail", "-c"] 39 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ 40 --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ 41 apt-get update \ 42 && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https libcap2-bin \ 43 && curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \ 44 && curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \ 45 && DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \ 46 && printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt\";" >> /etc/apt/apt.conf.d/90pkgs-nginx \ 47 && printf "%s\n" "deb https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION^^}/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \ 48 && apt-get update \ 49 && apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs \ 50 && apt-get purge --auto-remove -y apt-transport-https gnupg curl \ 51 && rm -rf /var/lib/apt/lists/* 52 53 54 ############################################# Base image for Debian with NGINX Plus and App Protect ############################################# 55 FROM debian-plus as debian-plus-nap 56 ARG IC_VERSION 57 ARG NGINX_PLUS_VERSION 58 59 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ 60 --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ 61 apt-get update \ 62 && apt-get install --no-install-recommends --no-install-suggests -y gnupg curl apt-transport-https \ 63 && curl -fsSL https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_app_signing.gpg \ 64 && DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \ 65 && printf "%s\n" "deb https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION^^}/debian buster nginx-plus" \ 66 "deb https://pkgs.nginx.com/app-protect-security-updates/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-app-protect.list \ 67 && apt-get update \ 68 && apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns \ 69 # temp fix for CVE-2021-33574 70 && apt-get install libc6 libc-bin \ 71 && apt-get purge --auto-remove -y apt-transport-https gnupg curl \ 72 && rm -rf /var/lib/apt/lists/* \ 73 && rm /etc/apt/sources.list.d/nginx-app-protect.list 74 75 # Uncomment the lines below if you want to install a custom CA certificate 76 # COPY build/*.crt /usr/local/share/ca-certificates/ 77 # RUN update-ca-certificates 78 79 80 ############################################# Base image for UBI ############################################# 81 FROM redhat/ubi8 AS ubi-base 82 ARG IC_VERSION 83 84 SHELL ["/bin/bash", "-o", "pipefail", "-c"] 85 LABEL name="NGINX Ingress Controller" \ 86 maintainer="kubernetes@nginx.com" \ 87 vendor="NGINX Inc" \ 88 version="${IC_VERSION}" \ 89 release="1" \ 90 summary="The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ 91 description="The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ 92 io.k8s.description="The NGINX Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ 93 io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift" 94 95 RUN dnf --nodocs install -y shadow-utils ca-certificates \ 96 && groupadd --system --gid 101 nginx \ 97 && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx 98 99 COPY --chown=nginx:0 LICENSE /licenses/ 100 101 102 ############################################# Base image for UBI OSS ############################################# 103 FROM ubi-base AS ubi 104 ARG NGINX_VERSION 105 106 RUN rpm --import https://nginx.org/keys/nginx_signing.key \ 107 && version=$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1) \ 108 && printf "%s\n" "[nginx]" "name=nginx repo" \ 109 "baseurl=https://nginx.org/packages/mainline/centos/${version}/\$basearch/" \ 110 "gpgcheck=1" "enabled=1" "module_hotfixes=true" > /etc/yum.repos.d/nginx.repo \ 111 && dnf --nodocs install -y nginx-${NGINX_VERSION} \ 112 && rm /etc/yum.repos.d/nginx.repo 113 114 115 ############################################# Base image for UBI with NGINX Plus ############################################# 116 FROM ubi-base AS ubi-plus 117 ARG NGINX_PLUS_VERSION 118 119 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ 120 --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ 121 rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \ 122 && curl -fsSL "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \ 123 && dnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION} nginx-plus-module-njs-${NGINX_PLUS_VERSION} 124 125 126 ############################################# Base image for UBI with NGINX Plus and App Protect ############################################# 127 FROM ubi-plus as ubi-plus-nap 128 ARG NGINX_PLUS_VERSION 129 130 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ 131 --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ 132 --mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \ 133 source /tmp/rhel_license \ 134 && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \ 135 && subscription-manager attach \ 136 && dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \ 137 && dnf --nodocs install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ 138 && curl -fsSL https://cs.nginx.com/static/files/app-protect-8.repo > /etc/yum.repos.d/app-protect-8.repo \ 139 && dnf --nodocs install -y app-protect-${NGINX_PLUS_VERSION#r}* app-protect-attack-signatures app-protect-threat-campaigns \ 140 && rm /etc/yum.repos.d/app-protect*.repo \ 141 && subscription-manager unregister \ 142 && dnf clean all && rm -rf /var/cache/dnf 143 144 # Uncomment the lines below if you want to install a custom CA certificate 145 # COPY build/*.crt /etc/pki/ca-trust/source/anchors/ 146 # RUN update-ca-trust extract 147 148 149 ############################################# Base images containing libs for Opentracing ############################################# 150 FROM opentracing/nginx-opentracing:nginx-1.23.2 as opentracing-lib 151 152 153 ############################################# Build image for Debian with Opentracing ############################################# 154 FROM debian as opentracing 155 156 RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ cp -av /tmp/usr/local/lib/libopentracing.so* /tmp/usr/local/lib/libjaegertracing*so* /tmp/usr/local/lib/libzipkin*so* /tmp/usr/local/lib/libdd*so* /tmp/usr/local/lib/libyaml*so* /usr/local/lib/ \ 157 && cp -av /tmp/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ 158 && ldconfig 159 160 161 ############################################# Build image for Opentracing with NGINX Plus ############################################# 162 FROM debian-plus as opentracing-plus 163 164 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ 165 --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ 166 apt-get update \ 167 && apt-get install --no-install-recommends --no-install-suggests -y libcurl4 nginx-plus-module-opentracing \ 168 && rm -rf /var/lib/apt/lists/* 169 170 RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ cp -av /tmp/usr/local/lib/libjaegertracing*so* /tmp/usr/local/lib/libzipkin*so* /tmp/usr/local/lib/libdd*so* /tmp/usr/local/lib/libyaml*so* /usr/local/lib/ \ 171 && ldconfig 172 173 174 ############################################# Create common files for NGINX Plus ############################################# 175 FROM $BUILD_OS as plus-common 176 177 COPY --chown=nginx:0 internal/configs/oidc/* /etc/nginx/oidc/ 178 179 180 ############################################# Create common files for NGINX Plus with App Protect ############################################# 181 FROM plus-common as nap-common 182 183 RUN mkdir -p /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /var/log/app_protect /opt/app_protect \ 184 && chown -R nginx:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \ 185 && touch /etc/nginx/waf/nac-usersigs/index.conf \ 186 && printf "%s\n" "MODULE = ALL;" "LOG_LEVEL = TS_CRIT;" "FILE = 2;" > /etc/app_protect/bd/logger.cfg \ 187 && printf "%s\n" "[config_set_compiler]" "log_level=fatal" >> /etc/app_protect/tools/asm_logging.conf \ 188 && for v in \ 189 asm_config_server \ 190 lock_factory \ 191 bd_agent \ 192 import_export_policy \ 193 set_active \ 194 ; do sed -i "/\[$v/a log_level=fatal" "/etc/app_protect/tools/asm_logging.conf" \ 195 ; done 196 197 COPY --chown=nginx:0 build/log-default.json /etc/nginx 198 199 200 ############################################# Create common files, permissions and setcap ############################################# 201 FROM ${FILES:-$BUILD_OS} as common 202 203 ARG PLUS 204 ARG BUILD_OS 205 ARG IC_VERSION 206 ARG GIT_COMMIT 207 ARG DATE 208 ARG TARGETPLATFORM 209 210 RUN mkdir -p /var/lib/nginx /etc/nginx/secrets /etc/nginx/stream-conf.d \ 211 && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \ 212 && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \ 213 && chown -R nginx:0 /etc/nginx /etc/nginx/secrets /var/cache/nginx /var/lib/nginx \ 214 && rm -f /etc/nginx/conf.d/* /etc/apt/apt.conf.d/90pkgs-nginx /etc/apt/sources.list.d/nginx-plus.list 215 216 COPY --chown=nginx:0 internal/configs/version1/nginx$PLUS.ingress.tmpl \ 217 internal/configs/version1/nginx$PLUS.tmpl \ 218 internal/configs/version2/nginx$PLUS.virtualserver.tmpl \ 219 internal/configs/version2/nginx$PLUS.transportserver.tmpl / 220 221 # Uncomment the line below if you would like to add the default.pem to the image 222 # and use it as a certificate and key for the default server 223 # ADD default.pem /etc/nginx/secrets/default 224 225 EXPOSE 80 443 226 227 STOPSIGNAL SIGTERM 228 ENTRYPOINT ["/nginx-ingress"] 229 USER nginx 230 231 LABEL org.opencontainers.image.title="NGINX Ingress Controller for Kubernetes" 232 LABEL org.opencontainers.image.documentation="https://docs.nginx.com/nginx-ingress-controller" 233 LABEL org.opencontainers.image.source="https://github.com/nginxinc/kubernetes-ingress" 234 LABEL org.opencontainers.image.vendor="NGINX Inc <kubernetes@nginx.com>" 235 LABEL org.opencontainers.image.licenses="Apache-2.0" 236 LABEL org.opencontainers.image.version="${IC_VERSION}" 237 LABEL org.opencontainers.image.revision="${GIT_COMMIT}" 238 LABEL org.opencontainers.image.created="${DATE}" 239 LABEL org.nginx.kic.image.build.target="${TARGETPLATFORM}" 240 LABEL org.nginx.kic.image.build.os="${BUILD_OS}" 241 LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERSION}" 242 243 244 ############################################# Build nginx-ingress in golang container ############################################# 245 FROM golang:1.19-alpine AS builder 246 ARG IC_VERSION 247 ARG GIT_COMMIT 248 ARG DATE 249 ARG TARGETARCH 250 251 WORKDIR /go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/cmd/nginx-ingress 252 COPY go.mod go.sum /go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/ 253 RUN go mod download 254 COPY . /go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/ 255 RUN CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=$TARGETARCH go build -trimpath -ldflags "-s -w -X main.version=${IC_VERSION} -X main.commit=${GIT_COMMIT} -X main.date=${DATE}" -o /nginx-ingress 256 257 258 ############################################# Create image with nginx-ingress built in container ############################################# 259 FROM common AS container 260 COPY --chown=nginx:0 --from=builder /nginx-ingress / 261 262 263 ############################################# Create image with nginx-ingress built locally ############################################# 264 FROM common AS local 265 COPY --chown=nginx:0 nginx-ingress / 266 267 268 ############################################# Create image with nginx-ingress built by GoReleaser ############################################# 269 FROM common AS goreleaser 270 ARG TARGETARCH 271 ARG TARGETVARIANT 272 273 COPY --chown=nginx:0 dist/kubernetes-ingress_linux_${TARGETARCH}*/nginx-ingress /