From 915243dbe72c17e845e15db2cb7dd5bb42fc5b14 Mon Sep 17 00:00:00 2001 From: Nashwan Azhari Date: Tue, 20 Aug 2024 17:02:21 +0300 Subject: [PATCH] Add `controller:v1.11.0` rockcraft specs and tests. (#4) --------- Signed-off-by: Nashwan Azhari --- controller/README.md | 3 + controller/v1.10.1/README.md | 3 + controller/v1.10.1/rockcraft.yaml | 871 ++++++++++++++++++ controller/v1.11.0/README.md | 3 + controller/v1.11.0/rockcraft.yaml | 868 +++++++++++++++++ kube-webhook-certgen/v1.4.0/README.md | 5 + kube-webhook-certgen/v1.4.0/nsswitch.conf | 23 + .../v1.4.0/pebble-entrypoint.sh | 12 + kube-webhook-certgen/v1.4.0/rockcraft.yaml | 157 ++++ kube-webhook-certgen/v1.4.1/nsswitch.conf | 2 +- .../v1.4.1/pebble-entrypoint.sh | 12 + kube-webhook-certgen/v1.4.1/rockcraft.yaml | 30 +- .../test_nginx_components_in_helm_chart.py | 97 +- tests/sanity/test_controller.py | 58 ++ tests/sanity/test_kube_webhook_certgen.py | 2 +- 15 files changed, 2115 insertions(+), 31 deletions(-) create mode 100644 controller/README.md create mode 100644 controller/v1.10.1/README.md create mode 100644 controller/v1.10.1/rockcraft.yaml create mode 100644 controller/v1.11.0/README.md create mode 100644 controller/v1.11.0/rockcraft.yaml create mode 100644 kube-webhook-certgen/v1.4.0/README.md create mode 100644 kube-webhook-certgen/v1.4.0/nsswitch.conf create mode 100755 kube-webhook-certgen/v1.4.0/pebble-entrypoint.sh create mode 100644 kube-webhook-certgen/v1.4.0/rockcraft.yaml create mode 100755 kube-webhook-certgen/v1.4.1/pebble-entrypoint.sh create mode 100644 tests/sanity/test_controller.py diff --git a/controller/README.md b/controller/README.md new file mode 100644 index 0000000..210fe69 --- /dev/null +++ b/controller/README.md @@ -0,0 +1,3 @@ +# ROCK specs for Nginx ingress `controller`. + +Aims to be compatible with `registry.k8s.io/ingress-nginx/controller:v1.11.0`. diff --git a/controller/v1.10.1/README.md b/controller/v1.10.1/README.md new file mode 100644 index 0000000..a9f7f73 --- /dev/null +++ b/controller/v1.10.1/README.md @@ -0,0 +1,3 @@ +# ROCK specs for Nginx ingress controller. + +Aims to be compatible with `registry.k8s.io/ingress-nginx/controller:v1.10.1`. diff --git a/controller/v1.10.1/rockcraft.yaml b/controller/v1.10.1/rockcraft.yaml new file mode 100644 index 0000000..1befce3 --- /dev/null +++ b/controller/v1.10.1/rockcraft.yaml @@ -0,0 +1,871 @@ +# Copyright 2024 Canonical Ltd. +# See LICENSE file for licensing details. + +# Rockcraft definition for the Nginx ingress controller image: +# registry.k8s.io/ingress-nginx/controller:v1.10.1 + +name: controller +summary: Rock for the Nginx ingress controller. +description: | + Rock for the Nginx ingress controller. + https://github.com/kubernetes/ingress-nginx +license: Apache-2.0 + +version: v1.10.1 + +# Upstream image is based on Alpine: +# https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/Dockerfile#L24 +base: ubuntu@22.04 +build-base: ubuntu@22.04 +platforms: + amd64: + arm64: + +services: + nginx: + startup: enabled + override: replace + + command: /usr/bin/dumb-init -- [ /nginx-ingress-controller ] + +entrypoint-service: nginx + +# https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/Dockerfile#L26-L29 +environment: + # NOTE: string interpolation is not supported within 'environment' variable delcarations. + # This value is simply the default $PATH on Ubuntu 22.04 images with the + # relevant lua/nginx binary locations appended to it: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/Dockerfile#L26 + PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin + + LUA_PATH: /usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;; + LUA_CPATH: /usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;; + LD_LIBRARY_PATH: /usr/local/lib + +parts: + + prepare-base-image: + plugin: nil + stage-packages: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/Dockerfile#L39-L53 + - bash + - passwd + - libpcre3 + - libpcre3-dev + - zlib1g-dev + - ca-certificates + - patch + - libyajl2 + - yajl-tools + - liblmdb-dev + - lmdb-utils + - libxml2 + - libmaxminddb-dev + - libyaml-cpp-dev + - libprotobuf-dev + - dumb-init + - tzdata + + overlay-script: | + set -eux -o pipefail + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/Dockerfile#L55-L56 + # NOTE(aznashwan): the base Ubuntu image already defines a 'www-data' user. + # groupadd -R $CRAFT_OVERLAY -r -g 101 www-data + # useradd -R $CRAFT_OVERLAY \ + # -s /sbin/nologin -d /usr/local/nginx --no-log-init -r -m -g 101 -u 101 www-data + + build-libgrpcpp: + plugin: nil + after: ['prepare-base-image'] + + source-type: git + # HACK(aznashwan): the `libgrpc++` package on 22.04 is version 1.30, + # while the `grpc-dev` package in the Alpine repos used in the original + # image is currently 1.62.1, so we must build it ourselves: + source: https://github.com/grpc/grpc + source-tag: v1.62.1 + source-depth: 1 + + build-packages: + - cmake + + override-build: | + set -eux -o pipefail + + cd $CRAFT_PART_SRC + + mkdir -p cmake/build + pushd cmake/build + cmake -DgRPC_INSTALL=ON -DgRPC_BUILD_TESTS=OFF \ + -DBUILD_SHARED_LIBS=ON \ + ../.. + # -DCMAKE_INSTALL_PREFIX=$LIBGRPC_INSTALL_DIR \ + make -j 4 + make install + + build-libssl: + plugin: nil + after: ['prepare-base-image'] + + source-type: tar + # HACK(aznashwan): the version of OpenSSL used in the upstream Nginx + # image is 3.3.1, which is not otherwise available on 22.04: + source: https://github.com/openssl/openssl/releases/download/openssl-3.3.1/openssl-3.3.1.tar.gz + + build-packages: + - build-essential + - checkinstall + - zlib1g-dev + + override-build: | + set -eux -o pipefail + + cd $CRAFT_PART_SRC + + ./config shared zlib + make + make install + + LIBSSL_TARGET="/usr/local/lib64/libssl.so.3" + LIBCRYPTO_TARGET="/usr/local/lib64/libcrypto.so" + if [ "$CRAFT_TARGET_ARCH" == "arm64" ]; then + LIBSSL_TARGET="/usr/lib/aarch64-linux-gnu/libssl.so.3" + LIBCRYPTO_TARGET="/usr/lib/aarch64-linux-gnu/libcrypto.so.3" + fi + + rm -f /usr/local/lib/libssl.so + ln -s $LIBSSL_TARGET /usr/local/lib/libssl.so + + rm -f /usr/local/lib/libcrypto.so + ln -s $LIBCRYPTO_TARGET /usr/local/lib/libcrypto.so + + ldconfig -p + + build-nginx: + plugin: nil + after: ['build-libgrpcpp', 'build-libssl'] + + source-type: git + source: https://github.com/kubernetes/ingress-nginx + source-tag: controller-v1.10.1 + source-depth: 1 + + build-packages: + - bash + - gcc + - clang + - libc-dev + - make + - automake + - libpcre3 + - libpcre3-dev + - zlib1g-dev + - linux-headers-generic + - libxslt-dev + - libgd3 + - libperl-dev + - libedit-dev + - mercurial + - build-essential + - findutils + - curl + - ca-certificates + - patch + - libaio-dev + - cmake + - util-linux + - liblmdb-dev + - lmdb-utils + - wget + - libcurl4-openssl-dev + - git + - g++ + - pkgconf + - flex + - bison + - doxygen + - libyajl2 + - yajl-tools + - libtool + - autoconf + - libxml2 + - libxml2-dev + - python3 + - libmaxminddb-dev + - bc + - unzip + - dos2unix + - libyaml-cpp-dev + - coreutils + - libbrotli-dev + - ninja-build + - libgtest-dev + - libc-ares2 + - libc-ares-dev + - libre2-dev + - libprotobuf-dev + - libabsl-dev + - libcap2-bin + + build-environment: + - LD_LIBRARY_PATH: /usr/local/lib + + override-build: | + # Mostly lifted 1:1 from the upstream build script: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/build.sh + # The following notable adaptations were necessary: + # - translated `apk add` dep packages into `build-packages` + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/build.sh#L139-L184 + # - removed `adduser www-data` (base Ubuntu defines www-data user by default) + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/build.sh#L617 + # - relevant `mv $CRAFT_PART_INSTALL` calls at the very end + set -eux -o pipefail + + export NGINX_VERSION=1.25.3 + + # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master + export NDK_VERSION=v0.3.3 + + # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master + export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e + + # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master + export MORE_HEADERS_VERSION=v0.37 + + # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master + export NGINX_DIGEST_AUTH=v1.0.0 + + # Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master + export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e + + # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master + export MODSECURITY_VERSION=v1.0.3 + + # Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master + export MODSECURITY_LIB_VERSION=v3.0.12 + + # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master + export OWASP_MODSECURITY_CRS_VERSION=v3.3.5 + + # Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.25...master + export LUA_NGX_VERSION=v0.10.26 + + # Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.13...master + export LUA_STREAM_NGX_VERSION=v0.0.14 + + # Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master + export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 + + # Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.11...openresty:master + export LUA_CJSON_VERSION=2.1.0.13 + + # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.4...master + export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 + + # Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20230410...v2.1-agentzh + export LUAJIT_VERSION=v2.1-20231117 + + # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master + export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea + + # Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.13...master + export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed + + # Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master + export LUA_RESTY_CORE=v0.1.28 + + # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/v0.1.0...master + export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 + + # Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.22...master + export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f + + # Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.16.1...master + export LUA_RESTY_HTTP=v0.17.1 + + # Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master + export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 + + # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master + export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 + + # Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master + export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 + + # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master + export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b + + # Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master + export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 + + # Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master + export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be + + # Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main + export LUA_RESTY_GLOBAL_THROTTLE_VERSION=v0.2.0 + + # Check for recent changes: https://github.com/microsoft/mimalloc/compare/v1.7.6...master + export MIMALOC_VERSION=v2.1.2 + + # Check on https://github.com/open-telemetry/opentelemetry-cpp + export OPENTELEMETRY_CPP_VERSION="v1.11.0" + # Check on https://github.com/open-telemetry/opentelemetry-proto + export OPENTELEMETRY_PROTO_VERSION="v1.1.0" + + export BUILD_PATH=/tmp/build + + ARCH=$(uname -m) + + get_src() + { + hash="$1" + url="$2" + dest="${3-}" + ARGS="" + f=$(basename "$url") + + echo "Downloading $url" + + curl -sSL "$url" -o "$f" + # TODO: Reenable checksum verification but make it smarter + # echo "$hash $f" | sha256sum -c - || exit 10 + if [ ! -z "$dest" ]; then + mkdir ${BUILD_PATH}/${dest} + ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1" + fi + tar xvzf "$f" $ARGS + rm -rf "$f" + } + + # apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev + + # There is some bug with some platforms and git, so force HTTP/1.1 + git config --global http.version HTTP/1.1 + git config --global http.postBuffer 157286400 + + mkdir -p /etc/nginx + + mkdir --verbose -p "$BUILD_PATH" + cd "$BUILD_PATH" + + # download, verify and extract the source files + get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ + "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" + + get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ + "https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit" + + get_src abc123 \ + "https://github.com/open-telemetry/opentelemetry-cpp/archive/$OPENTELEMETRY_CPP_VERSION.tar.gz" "opentelemetry-cpp" + + get_src abc123 \ + "https://github.com/open-telemetry/opentelemetry-proto/archive/$OPENTELEMETRY_PROTO_VERSION.tar.gz" "opentelemetry-proto" + + get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ + "https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module" + + get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ + "https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module" + + get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ + "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" + + get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ + "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module" + + get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ + "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" + + get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ + "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module" + + get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ + "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module" + + get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \ + "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module" + + get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ + "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2" + + get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \ + "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module" + + get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ + "https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload" + + get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ + "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string" + + get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \ + "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer" + + get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ + "https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core" + + get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ + "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson" + + get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ + "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie" + + get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ + "https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache" + + get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ + "https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock" + + get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ + "https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns" + + get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ + "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http" + + get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ + "https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached" + + get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ + "https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis" + + get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ + "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher" + + get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \ + "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" "lua-resty-global-throttle" + + get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ + "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" + + # improve compilation times + CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + + export MAKEFLAGS=-j${CORES} + export CTEST_BUILD_FLAGS=${MAKEFLAGS} + + # Install luajit from openresty fork + export LUAJIT_LIB=/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/local/include/luajit-2.1 + + cd "$BUILD_PATH/luajit2" + make CCDEBUG=-g + make install + + ln -s /usr/local/bin/luajit /usr/local/bin/lua + ln -s "$LUAJIT_INC" /usr/local/include/lua + + cd "$BUILD_PATH/opentelemetry-cpp" + export CXXFLAGS="-DBENCHMARK_HAS_NO_INLINE_ASSEMBLY" + cmake -B build -G Ninja -Wno-dev \ + -DOTELCPP_PROTO_PATH="${BUILD_PATH}/opentelemetry-proto/" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_TESTING="OFF" \ + -DBUILD_W3CTRACECONTEXT_TEST="OFF" \ + -DCMAKE_BUILD_TYPE=None \ + -DWITH_ABSEIL=ON \ + -DWITH_STL=ON \ + -DWITH_EXAMPLES=OFF \ + -DWITH_ZPAGES=OFF \ + -DWITH_OTLP_GRPC=ON \ + -DWITH_OTLP_HTTP=ON \ + -DWITH_ZIPKIN=ON \ + -DWITH_PROMETHEUS=OFF \ + -DWITH_ASYNC_EXPORT_PREVIEW=OFF \ + -DWITH_METRICS_EXEMPLAR_PREVIEW=OFF + cmake --build build + cmake --install build + + # Git tuning + git config --global --add core.compression -1 + + # Get Brotli source and deps + cd "$BUILD_PATH" + git clone --depth=100 https://github.com/google/ngx_brotli.git + cd ngx_brotli + # https://github.com/google/ngx_brotli/issues/156 + git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 + git submodule init + git submodule update + + cd "$BUILD_PATH" + git clone --depth=1 https://github.com/ssdeep-project/ssdeep + cd ssdeep/ + + ./bootstrap + ./configure + + make + make install + + # build modsecurity library + cd "$BUILD_PATH" + git clone -n https://github.com/SpiderLabs/ModSecurity + cd ModSecurity/ + git checkout $MODSECURITY_LIB_VERSION + git submodule init + git submodule update + + sh build.sh + + # https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 + sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 + sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 + + ./configure \ + --disable-doxygen-doc \ + --disable-doxygen-html \ + --disable-examples + + make + make install + + mkdir -p /etc/nginx/modsecurity + cp modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf + cp unicode.mapping /etc/nginx/modsecurity/unicode.mapping + + # Replace serial logging with concurrent + sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' /etc/nginx/modsecurity/modsecurity.conf + + # Concurrent logging implies the log is stored in several files + echo "SecAuditLogStorageDir /var/log/audit/" >> /etc/nginx/modsecurity/modsecurity.conf + + # Download owasp modsecurity crs + cd /etc/nginx/ + + git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset + mv coreruleset owasp-modsecurity-crs + cd owasp-modsecurity-crs + + mv crs-setup.conf.example crs-setup.conf + mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + cd .. + + # OWASP CRS v3 rules + echo " + Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + " > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + + # build nginx + cd "$BUILD_PATH/nginx-$NGINX_VERSION" + + # apply nginx patches + for PATCH in `ls /patches`;do + echo "Patch: $PATCH" + if [[ "$PATCH" == *.txt ]]; then + patch -p0 < /patches/$PATCH + else + patch -p1 < /patches/$PATCH + fi + done + + WITH_FLAGS="--with-debug \ + --with-compat \ + --with-pcre-jit \ + --with-http_ssl_module \ + --with-http_stub_status_module \ + --with-http_realip_module \ + --with-http_auth_request_module \ + --with-http_addition_module \ + --with-http_gzip_static_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_realip_module \ + --with-stream_ssl_preread_module \ + --with-threads \ + --with-http_secure_link_module \ + --with-http_gunzip_module" + + # "Combining -flto with -g is currently experimental and expected to produce unexpected results." + # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html + CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ + -Wformat \ + -Werror=format-security \ + -Wno-deprecated-declarations \ + -fno-strict-aliasing \ + -D_FORTIFY_SOURCE=2 \ + --param=ssp-buffer-size=4 \ + -DTCP_FASTOPEN=23 \ + -fPIC \ + -Wno-cast-function-type" + + LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" + + if [[ ${ARCH} != "aarch64" ]]; then + WITH_FLAGS+=" --with-file-aio" + fi + + if [[ ${ARCH} == "x86_64" ]]; then + CC_OPT+=' -m64 -mtune=generic' + fi + + WITH_MODULES=" \ + --add-module=$BUILD_PATH/ngx_devel_kit \ + --add-module=$BUILD_PATH/set-misc-nginx-module \ + --add-module=$BUILD_PATH/headers-more-nginx-module \ + --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \ + --add-module=$BUILD_PATH/lua-nginx-module \ + --add-module=$BUILD_PATH/stream-lua-nginx-module \ + --add-module=$BUILD_PATH/lua-upstream-nginx-module \ + --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ + --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ + --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ + --add-dynamic-module=$BUILD_PATH/ngx_brotli" + + ./configure \ + --prefix=/usr/local/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/etc/nginx/modules \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --lock-path=/var/lock/nginx.lock \ + --pid-path=/run/nginx.pid \ + --http-client-body-temp-path=/var/lib/nginx/body \ + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ + --http-proxy-temp-path=/var/lib/nginx/proxy \ + --http-scgi-temp-path=/var/lib/nginx/scgi \ + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + ${WITH_FLAGS} \ + --without-mail_pop3_module \ + --without-mail_smtp_module \ + --without-mail_imap_module \ + --without-http_uwsgi_module \ + --without-http_scgi_module \ + --with-cc-opt="${CC_OPT}" \ + --with-ld-opt="${LD_OPT}" \ + --user=www-data \ + --group=www-data \ + ${WITH_MODULES} + + make + make modules + make install + + export OPENTELEMETRY_CONTRIB_COMMIT=aaa51e2297bcb34297f3c7aa44fa790497d2f7f3 + cd "$BUILD_PATH" + + git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + + cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} + + export OTEL_TEMP_INSTALL=/tmp/otel + mkdir -p ${OTEL_TEMP_INSTALL} + + cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx + mkdir -p build + cd build + cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \ + -DBUILD_SHARED_LIBS=ON \ + -DNGINX_VERSION=${NGINX_VERSION} \ + .. + cmake --build . -j ${CORES} --target install + + mkdir -p /etc/nginx/modules + cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so + + + cd "$BUILD_PATH/lua-resty-core" + make install + + cd "$BUILD_PATH/lua-resty-balancer" + make all + make install + + export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 + ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + + cd "$BUILD_PATH/lua-cjson" + make all + make install + + cd "$BUILD_PATH/lua-resty-cookie" + make all + make install + + cd "$BUILD_PATH/lua-resty-lrucache" + make install + + cd "$BUILD_PATH/lua-resty-dns" + make install + + cd "$BUILD_PATH/lua-resty-lock" + make install + + # required for OCSP verification + cd "$BUILD_PATH/lua-resty-http" + make install + + cd "$BUILD_PATH/lua-resty-upload" + make install + + cd "$BUILD_PATH/lua-resty-string" + make install + + cd "$BUILD_PATH/lua-resty-memcached" + make install + + cd "$BUILD_PATH/lua-resty-redis" + make install + + cd "$BUILD_PATH/lua-resty-ipmatcher" + INST_LUADIR=/usr/local/lib/lua make install + + cd "$BUILD_PATH/lua-resty-global-throttle" + make install + + cd "$BUILD_PATH/mimalloc" + mkdir -p out/release + cd out/release + + cmake ../.. + + make + make install + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/rootfs/Dockerfile#L48-L63 + writeDirs=( \ + /etc/nginx \ + /etc/ingress-controller/ssl \ + /etc/ingress-controller/auth \ + /etc/ingress-controller/geoip \ + /etc/ingress-controller/telemetry \ + /usr/local/nginx \ + /opt/modsecurity/var/log \ + /opt/modsecurity/var/upload \ + /opt/modsecurity/var/audit \ + /var/log/audit \ + /var/log/nginx \ + /tmp/nginx \ + ); + + for dir in "${writeDirs[@]}"; do + mkdir -p ${dir}; + chown -R www-data.www-data ${dir}; + done + + rm -rf /etc/nginx/owasp-modsecurity-crs/.git + rm -rf /etc/nginx/owasp-modsecurity-crs/util/regression-tests + + # remove .a files + find /usr/local -name "*.a" -print | xargs /bin/rm + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/nginx-1.25/rootfs/Dockerfile#L31-L34 + mkdir -p $CRAFT_PART_INSTALL/usr/local + cp -rp /usr/local/* $CRAFT_PART_INSTALL/usr/local + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/rootfs/Dockerfile#L73-L74 + setcap cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/local/nginx/sbin/nginx + setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/local/nginx/sbin/nginx + + mkdir -p $CRAFT_PART_INSTALL/usr/local/lib + LIBPATH="/usr/lib/x86_64-linux-gnu" + if [ $CRAFT_TARGET_ARCH == "arm64" ]; then + LIBPATH="/usr/lib/aarch64-linux-gnu" + fi + cp $LIBPATH/libopentelemetry* $CRAFT_PART_INSTALL/usr/local/lib + + mkdir -p $CRAFT_PART_INSTALL/opt + cp -rp /opt/* $CRAFT_PART_INSTALL/opt + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/rootfs/Dockerfile#L42 + mkdir -p $CRAFT_PART_INSTALL/etc/nginx + cp -rp $CRAFT_PART_SRC/rootfs/etc/nginx/* $CRAFT_PART_INSTALL/etc/nginx + cp -rp /etc/nginx/* $CRAFT_PART_INSTALL/etc/nginx + + # Added files/directories that need creating: + mkdir -p $CRAFT_PART_INSTALL/var/log + cp -rp /var/log/nginx $CRAFT_PART_INSTALL/var/log + cp -rp /var/log/audit $CRAFT_PART_INSTALL/var/log + + mkdir -p $CRAFT_PART_INSTALL/var/lib/nginx + + stage: + - usr/local/* + - usr/lib/* + - opt/* + - etc/nginx/* + - var/log/nginx + - var/log/audit + - var/lib/nginx + + build-go-binaries: + after: ['build-nginx'] + plugin: go + + build-environment: + - CGO_ENABLED: 0 + + build-snaps: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/GOLANG_VERSION#L1 + - go/1.22/stable + + build-packages: + - libcap2-bin + + source-type: git + source: https://github.com/kubernetes/ingress-nginx + source-tag: controller-v1.10.1 + source-depth: 1 + + override-build: | + set -eux -o pipefail + + mkdir -p rootfs/bin + + export TAG="controller-v1.10.1" + export PKG="k8s.io/ingress-nginx" + export ARCH="$CRAFT_TARGET_ARCH" + cd $CRAFT_PART_SRC + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/Makefile#L45-L46 + export COMMIT_SHA=`git rev-parse HEAD` + export REPO_INFO=`git config --get remote.origin.url` + + bash build/build.sh + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/rootfs/Dockerfile#L44-L46 + cp rootfs/bin/${ARCH}/{dbg,nginx-ingress-controller,wait-shutdown} $CRAFT_PART_INSTALL + chown -R www-data:www-data $CRAFT_PART_INSTALL/{dbg,nginx-ingress-controller,wait-shutdown} + + setcap cap_net_bind_service=+ep $CRAFT_PART_INSTALL/nginx-ingress-controller + setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/nginx-ingress-controller + + # NOTE(aznashwan): dumb-init is a staged package. + # setcap cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/bin/dumb-init + # setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/bin/dumb-init diff --git a/controller/v1.11.0/README.md b/controller/v1.11.0/README.md new file mode 100644 index 0000000..6fe731f --- /dev/null +++ b/controller/v1.11.0/README.md @@ -0,0 +1,3 @@ +# ROCK specs for Nginx ingress controller. + +Aims to be compatible with `registry.k8s.io/ingress-nginx/controller:v1.11.0`. diff --git a/controller/v1.11.0/rockcraft.yaml b/controller/v1.11.0/rockcraft.yaml new file mode 100644 index 0000000..c237956 --- /dev/null +++ b/controller/v1.11.0/rockcraft.yaml @@ -0,0 +1,868 @@ +# Copyright 2024 Canonical Ltd. +# See LICENSE file for licensing details. + +# Rockcraft definition for the Nginx ingress controller image: +# registry.k8s.io/ingress-nginx/controller:v1.11.0 + +name: controller +summary: Rock for the Nginx ingress controller. +description: | + Rock for the Nginx ingress controller. + https://github.com/kubernetes/ingress-nginx +license: Apache-2.0 + +version: v1.11.0 + +# Upstream image is based on Alpine: +# https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/Dockerfile#L24 +base: ubuntu@22.04 +build-base: ubuntu@22.04 +platforms: + amd64: + arm64: + +services: + nginx: + startup: enabled + override: replace + + command: /usr/bin/dumb-init -- [ /nginx-ingress-controller ] + +entrypoint-service: nginx + +# https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/Dockerfile#L26-L29 +environment: + # NOTE: string interpolation is not supported within 'environment' variable delcarations. + # This value is simply the default $PATH on Ubuntu 22.04 images with the + # relevant lua/nginx binary locations appended to it: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/Dockerfile#L26 + PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin + + LUA_PATH: /usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;; + LUA_CPATH: /usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;; + LD_LIBRARY_PATH: /usr/local/lib + +parts: + + prepare-base-image: + plugin: nil + stage-packages: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/Dockerfile#L39-L53 + - bash + - passwd + - libpcre3 + - libpcre3-dev + - zlib1g-dev + - ca-certificates + - patch + - libyajl2 + - yajl-tools + - liblmdb-dev + - lmdb-utils + - libxml2 + - libmaxminddb-dev + - libyaml-cpp-dev + - libprotobuf-dev + - dumb-init + - tzdata + + overlay-script: | + set -eux -o pipefail + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/Dockerfile#L55-L56 + # NOTE(aznashwan): the base Ubuntu image already defines a 'www-data' user. + # groupadd -R $CRAFT_OVERLAY -r -g 101 www-data + # useradd -R $CRAFT_OVERLAY \ + # -s /sbin/nologin -d /usr/local/nginx --no-log-init -r -m -g 101 -u 101 www-data + + build-libgrpcpp: + plugin: nil + after: ['prepare-base-image'] + + source-type: git + # HACK(aznashwan): the `libgrpc++` package on 22.04 is version 1.30, + # while the `grpc-dev` package in the Alpine repos used in the original + # image is currently 1.62.1, so we must build it ourselves: + source: https://github.com/grpc/grpc + source-tag: v1.62.1 + source-depth: 1 + + build-packages: + - cmake + + override-build: | + set -eux -o pipefail + + cd $CRAFT_PART_SRC + + mkdir -p cmake/build + pushd cmake/build + cmake -DgRPC_INSTALL=ON -DgRPC_BUILD_TESTS=OFF \ + -DBUILD_SHARED_LIBS=ON \ + ../.. + # -DCMAKE_INSTALL_PREFIX=$LIBGRPC_INSTALL_DIR \ + make -j 4 + make install + + build-libssl: + plugin: nil + after: ['prepare-base-image'] + + source-type: tar + # HACK(aznashwan): the version of OpenSSL used in the upstream Nginx + # image is 3.3.1, which is not otherwise available on 22.04: + source: https://github.com/openssl/openssl/releases/download/openssl-3.3.1/openssl-3.3.1.tar.gz + + build-packages: + - build-essential + - checkinstall + - zlib1g-dev + + override-build: | + set -eux -o pipefail + + cd $CRAFT_PART_SRC + + ./config shared zlib + make + make install + + LIBSSL_TARGET="/usr/local/lib64/libssl.so.3" + LIBCRYPTO_TARGET="/usr/local/lib64/libcrypto.so" + if [ "$CRAFT_TARGET_ARCH" == "arm64" ]; then + LIBSSL_TARGET="/usr/lib/aarch64-linux-gnu/libssl.so.3" + LIBCRYPTO_TARGET="/usr/lib/aarch64-linux-gnu/libcrypto.so.3" + fi + + rm -f /usr/local/lib/libssl.so + ln -s $LIBSSL_TARGET /usr/local/lib/libssl.so + + rm -f /usr/local/lib/libcrypto.so + ln -s $LIBCRYPTO_TARGET /usr/local/lib/libcrypto.so + + ldconfig -p + + build-nginx: + plugin: nil + after: ['build-libgrpcpp', 'build-libssl'] + + source-type: git + source: https://github.com/kubernetes/ingress-nginx + source-tag: controller-v1.11.0 + source-depth: 1 + + build-packages: + - bash + - gcc + - clang + - libc-dev + - make + - automake + - libpcre3 + - libpcre3-dev + - zlib1g-dev + - linux-headers-generic + - libxslt-dev + - libgd3 + - libperl-dev + - libedit-dev + - mercurial + - build-essential + - findutils + - curl + - ca-certificates + - patch + - libaio-dev + - cmake + - util-linux + - liblmdb-dev + - lmdb-utils + - wget + - libcurl4-openssl-dev + - git + - g++ + - pkgconf + - flex + - bison + - doxygen + - libyajl2 + - yajl-tools + - libtool + - autoconf + - libxml2 + - libxml2-dev + - python3 + - libmaxminddb-dev + - bc + - unzip + - dos2unix + - libyaml-cpp-dev + - coreutils + - libbrotli-dev + - ninja-build + - libgtest-dev + - libc-ares2 + - libc-ares-dev + - libre2-dev + - libprotobuf-dev + - libabsl-dev + - libcap2-bin + + build-environment: + - LD_LIBRARY_PATH: /usr/local/lib + + override-build: | + # Mostly lifted 1:1 from the upstream build script: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/build.sh + # The following notable adaptations were necessary: + # - translated `apk add` dep packages into `build-packages` + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/build.sh#L139-L184 + # - removed `adduser www-data` (base Ubuntu defines www-data user by default) + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/build.sh#L617 + # - relevant `mv $CRAFT_PART_INSTALL` calls at the very end + set -eux -o pipefail + + export NGINX_VERSION=1.25.5 + + # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master + export NDK_VERSION=v0.3.3 + + # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master + export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e + + # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master + export MORE_HEADERS_VERSION=v0.37 + + # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master + export NGINX_DIGEST_AUTH=v1.0.0 + + # Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master + export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e + + # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master + export MODSECURITY_VERSION=v1.0.3 + + # Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master + export MODSECURITY_LIB_VERSION=v3.0.12 + + # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main + export OWASP_MODSECURITY_CRS_VERSION=v4.4.0 + + # Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/b5d1688ae722538ba4dc8a7ec08820a08abfb93d...master + export LUA_NGX_VERSION=b5d1688ae722538ba4dc8a7ec08820a08abfb93d + + # Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master + export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63 + + # Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master + export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 + + # Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master + export LUA_CJSON_VERSION=2.1.0.13 + + # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master + export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 + + # Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh + export LUAJIT_VERSION=v2.1-20240314 + + # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master + export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea + + # Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master + export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed + + # Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master + export LUA_RESTY_CORE=v0.1.28 + + # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master + export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 + + # Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master + export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f + + # Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master + export LUA_RESTY_HTTP=v0.17.1 + + # Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master + export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 + + # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master + export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 + + # Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master + export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 + + # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master + export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b + + # Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master + export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 + + # Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master + export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be + + # Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main + export LUA_RESTY_GLOBAL_THROTTLE_VERSION=v0.2.0 + + # Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master + export MIMALOC_VERSION=v2.1.7 + + # Check on https://github.com/open-telemetry/opentelemetry-cpp + export OPENTELEMETRY_CPP_VERSION="v1.11.0" + # Check on https://github.com/open-telemetry/opentelemetry-proto + export OPENTELEMETRY_PROTO_VERSION="v1.1.0" + + export BUILD_PATH=/tmp/build + + ARCH=$(uname -m) + + get_src() + { + hash="$1" + url="$2" + dest="${3-}" + ARGS="" + f=$(basename "$url") + + echo "Downloading $url" + + curl -sSL "$url" -o "$f" + # TODO: Reenable checksum verification but make it smarter + # echo "$hash $f" | sha256sum -c - || exit 10 + if [ ! -z "$dest" ]; then + mkdir ${BUILD_PATH}/${dest} + ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1" + fi + tar xvzf "$f" $ARGS + rm -rf "$f" + } + + # There is some bug with some platforms and git, so force HTTP/1.1 + git config --global http.version HTTP/1.1 + git config --global http.postBuffer 157286400 + + mkdir -p /etc/nginx + + mkdir --verbose -p "$BUILD_PATH" + cd "$BUILD_PATH" + + # download, verify and extract the source files + get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ + "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" + + get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ + "https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit" + + get_src abc123 \ + "https://github.com/open-telemetry/opentelemetry-cpp/archive/$OPENTELEMETRY_CPP_VERSION.tar.gz" "opentelemetry-cpp" + + get_src abc123 \ + "https://github.com/open-telemetry/opentelemetry-proto/archive/$OPENTELEMETRY_PROTO_VERSION.tar.gz" "opentelemetry-proto" + + get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ + "https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module" + + get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ + "https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module" + + get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ + "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" + + get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ + "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module" + + get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ + "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" + + get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ + "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module" + + get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ + "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module" + + get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \ + "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module" + + get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ + "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2" + + get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \ + "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module" + + get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ + "https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload" + + get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ + "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string" + + get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \ + "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer" + + get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ + "https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core" + + get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ + "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson" + + get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ + "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie" + + get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ + "https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache" + + get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ + "https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock" + + get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ + "https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns" + + get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ + "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http" + + get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ + "https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached" + + get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ + "https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis" + + get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ + "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher" + + get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \ + "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" "lua-resty-global-throttle" + + get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ + "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" + + # improve compilation times + CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + + export MAKEFLAGS=-j${CORES} + export CTEST_BUILD_FLAGS=${MAKEFLAGS} + + # Install luajit from openresty fork + export LUAJIT_LIB=/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/local/include/luajit-2.1 + rm -rf /usr/include/lua5.1 + + cd "$BUILD_PATH/luajit2" + make CCDEBUG=-g + make install + + rm -f /usr/local/bin/lua + ln -s /usr/local/bin/luajit /usr/local/bin/lua + rm -f /usr/local/include/lua + ln -s "$LUAJIT_INC" /usr/local/include/lua + + cd "$BUILD_PATH/opentelemetry-cpp" + export CXXFLAGS="-DBENCHMARK_HAS_NO_INLINE_ASSEMBLY" + cmake -B build -G Ninja -Wno-dev \ + -DOTELCPP_PROTO_PATH="${BUILD_PATH}/opentelemetry-proto/" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_TESTING="OFF" \ + -DBUILD_W3CTRACECONTEXT_TEST="OFF" \ + -DCMAKE_BUILD_TYPE=None \ + -DWITH_ABSEIL=ON \ + -DWITH_STL=ON \ + -DWITH_EXAMPLES=OFF \ + -DWITH_ZPAGES=OFF \ + -DWITH_OTLP_GRPC=ON \ + -DWITH_OTLP_HTTP=ON \ + -DWITH_ZIPKIN=ON \ + -DWITH_PROMETHEUS=OFF \ + -DWITH_ASYNC_EXPORT_PREVIEW=OFF \ + -DWITH_METRICS_EXEMPLAR_PREVIEW=OFF + cmake --build build + cmake --install build + + # Git tuning + git config --global --add core.compression -1 + + # Get Brotli source and deps + cd "$BUILD_PATH" + git clone --depth=100 https://github.com/google/ngx_brotli.git + cd ngx_brotli + # https://github.com/google/ngx_brotli/issues/156 + git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 + git submodule init + git submodule update + + cd "$BUILD_PATH" + git clone --depth=1 https://github.com/ssdeep-project/ssdeep + cd ssdeep/ + + ./bootstrap + ./configure + + make + make install + + # build modsecurity library + cd "$BUILD_PATH" + git clone -n https://github.com/SpiderLabs/ModSecurity + cd ModSecurity/ + git checkout $MODSECURITY_LIB_VERSION + git submodule init + git submodule update + + sh build.sh + + # https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 + sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 + sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 + + ./configure \ + --disable-doxygen-doc \ + --disable-doxygen-html \ + --disable-examples + + make + make install + + mkdir -p /etc/nginx/modsecurity + cp modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf + cp unicode.mapping /etc/nginx/modsecurity/unicode.mapping + + # Replace serial logging with concurrent + sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' /etc/nginx/modsecurity/modsecurity.conf + + # Concurrent logging implies the log is stored in several files + echo "SecAuditLogStorageDir /var/log/audit/" >> /etc/nginx/modsecurity/modsecurity.conf + + # Download owasp modsecurity crs + cd /etc/nginx/ + + git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset + mv coreruleset owasp-modsecurity-crs + cd owasp-modsecurity-crs + + mv crs-setup.conf.example crs-setup.conf + mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + cd .. + + # OWASP CRS v4 rules + echo " + Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + " > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + + # build nginx + cd "$BUILD_PATH/nginx-$NGINX_VERSION" + + # apply nginx patches + for PATCH in `ls /patches`;do + echo "Patch: $PATCH" + if [[ "$PATCH" == *.txt ]]; then + patch -p0 < /patches/$PATCH + else + patch -p1 < /patches/$PATCH + fi + done + + WITH_FLAGS="--with-debug \ + --with-compat \ + --with-pcre-jit \ + --with-http_ssl_module \ + --with-http_stub_status_module \ + --with-http_realip_module \ + --with-http_auth_request_module \ + --with-http_addition_module \ + --with-http_gzip_static_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-http_v3_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_realip_module \ + --with-stream_ssl_preread_module \ + --with-threads \ + --with-http_secure_link_module \ + --with-http_gunzip_module" + + # "Combining -flto with -g is currently experimental and expected to produce unexpected results." + # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html + CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ + -Wformat \ + -Werror=format-security \ + -Wno-deprecated-declarations \ + -fno-strict-aliasing \ + -D_FORTIFY_SOURCE=2 \ + --param=ssp-buffer-size=4 \ + -DTCP_FASTOPEN=23 \ + -fPIC \ + -Wno-cast-function-type" + + LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" + + if [[ ${ARCH} != "aarch64" ]]; then + WITH_FLAGS+=" --with-file-aio" + fi + + if [[ ${ARCH} == "x86_64" ]]; then + CC_OPT+=' -m64 -mtune=generic' + fi + + WITH_MODULES=" \ + --add-module=$BUILD_PATH/ngx_devel_kit \ + --add-module=$BUILD_PATH/set-misc-nginx-module \ + --add-module=$BUILD_PATH/headers-more-nginx-module \ + --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \ + --add-module=$BUILD_PATH/lua-nginx-module \ + --add-module=$BUILD_PATH/stream-lua-nginx-module \ + --add-module=$BUILD_PATH/lua-upstream-nginx-module \ + --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ + --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ + --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ + --add-dynamic-module=$BUILD_PATH/ngx_brotli" + + ./configure \ + --prefix=/usr/local/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/etc/nginx/modules \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --lock-path=/var/lock/nginx.lock \ + --pid-path=/run/nginx.pid \ + --http-client-body-temp-path=/var/lib/nginx/body \ + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ + --http-proxy-temp-path=/var/lib/nginx/proxy \ + --http-scgi-temp-path=/var/lib/nginx/scgi \ + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + ${WITH_FLAGS} \ + --without-mail_pop3_module \ + --without-mail_smtp_module \ + --without-mail_imap_module \ + --without-http_uwsgi_module \ + --without-http_scgi_module \ + --with-cc-opt="${CC_OPT}" \ + --with-ld-opt="${LD_OPT}" \ + --user=www-data \ + --group=www-data \ + ${WITH_MODULES} + + make + make modules + make install + + export OPENTELEMETRY_CONTRIB_COMMIT=aaa51e2297bcb34297f3c7aa44fa790497d2f7f3 + cd "$BUILD_PATH" + + git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + + cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} + + export OTEL_TEMP_INSTALL=/tmp/otel + mkdir -p ${OTEL_TEMP_INSTALL} + + cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx + mkdir -p build + cd build + cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \ + -DBUILD_SHARED_LIBS=ON \ + -DNGINX_VERSION=${NGINX_VERSION} \ + .. + cmake --build . -j ${CORES} --target install + + mkdir -p /etc/nginx/modules + cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so + + + cd "$BUILD_PATH/lua-resty-core" + make install + + cd "$BUILD_PATH/lua-resty-balancer" + make all + make install + + export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 + rm -rf /usr/include/lua5.1 + ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + + cd "$BUILD_PATH/lua-cjson" + make all + make install + + cd "$BUILD_PATH/lua-resty-cookie" + make all + make install + + cd "$BUILD_PATH/lua-resty-lrucache" + make install + + cd "$BUILD_PATH/lua-resty-dns" + make install + + cd "$BUILD_PATH/lua-resty-lock" + make install + + # required for OCSP verification + cd "$BUILD_PATH/lua-resty-http" + make install + + cd "$BUILD_PATH/lua-resty-upload" + make install + + cd "$BUILD_PATH/lua-resty-string" + make install + + cd "$BUILD_PATH/lua-resty-memcached" + make install + + cd "$BUILD_PATH/lua-resty-redis" + make install + + cd "$BUILD_PATH/lua-resty-ipmatcher" + INST_LUADIR=/usr/local/lib/lua make install + + cd "$BUILD_PATH/lua-resty-global-throttle" + make install + + cd "$BUILD_PATH/mimalloc" + mkdir -p out/release + cd out/release + + cmake ../.. + + make + make install + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/rootfs/Dockerfile#L48-L63 + writeDirs=( \ + /etc/nginx \ + /etc/ingress-controller/ssl \ + /etc/ingress-controller/auth \ + /etc/ingress-controller/geoip \ + /etc/ingress-controller/telemetry \ + /usr/local/nginx \ + /opt/modsecurity/var/log \ + /opt/modsecurity/var/upload \ + /opt/modsecurity/var/audit \ + /var/log/audit \ + /var/log/nginx \ + /tmp/nginx \ + ); + for dir in "${writeDirs[@]}"; do + mkdir -p ${dir}; + chown -R www-data.www-data ${dir}; + done + + rm -rf /etc/nginx/owasp-modsecurity-crs/.git + rm -rf /etc/nginx/owasp-modsecurity-crs/util/regression-tests + + # remove .a files + find /usr/local -name "*.a" -print | xargs /bin/rm + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/images/nginx-1.25/rootfs/Dockerfile#L31-L34 + mkdir -p $CRAFT_PART_INSTALL/usr/local + cp -rp /usr/local/* $CRAFT_PART_INSTALL/usr/local + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/rootfs/Dockerfile#L73-L74 + setcap cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/local/nginx/sbin/nginx + setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/local/nginx/sbin/nginx + + mkdir -p $CRAFT_PART_INSTALL/usr/local/lib + LIBPATH="/usr/lib/x86_64-linux-gnu" + if [ $CRAFT_TARGET_ARCH == "arm64" ]; then + LIBPATH="/usr/lib/aarch64-linux-gnu" + fi + cp $LIBPATH/libopentelemetry* $CRAFT_PART_INSTALL/usr/local/lib + mkdir -p $CRAFT_PART_INSTALL/opt + cp -rp /opt/* $CRAFT_PART_INSTALL/opt + + mkdir -p $CRAFT_PART_INSTALL/etc/nginx + cp -rp $CRAFT_PART_SRC/rootfs/etc/nginx/* $CRAFT_PART_INSTALL/etc/nginx + cp -rp /etc/nginx/* $CRAFT_PART_INSTALL/etc/nginx + + # Added files/directories that need creating: + mkdir -p $CRAFT_PART_INSTALL/var/log + cp -rp /var/log/nginx $CRAFT_PART_INSTALL/var/log + cp -rp /var/log/audit $CRAFT_PART_INSTALL/var/log + + mkdir -p $CRAFT_PART_INSTALL/var/lib/nginx + + stage: + - usr/local/* + - usr/lib/* + - opt/* + - etc/nginx/* + - var/log/nginx + - var/log/audit + - var/lib/nginx + + build-go-binaries: + after: ['build-nginx'] + plugin: go + + build-environment: + - CGO_ENABLED: 0 + + build-snaps: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/GOLANG_VERSION#L1 + - go/1.22/stable + + build-packages: + - libcap2-bin + + source-type: git + source: https://github.com/kubernetes/ingress-nginx + source-tag: controller-v1.11.0 + source-depth: 1 + + override-build: | + set -eux -o pipefail + + mkdir -p rootfs/bin + + export TAG="controller-v1.11.0" + export PKG="k8s.io/ingress-nginx" + export ARCH="$CRAFT_TARGET_ARCH" + cd $CRAFT_PART_SRC + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/Makefile#L45-L46 + export COMMIT_SHA=`git rev-parse HEAD` + export REPO_INFO=`git config --get remote.origin.url` + + bash build/build.sh + + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/rootfs/Dockerfile#L44-L46 + cp rootfs/bin/${ARCH}/{dbg,nginx-ingress-controller,wait-shutdown} $CRAFT_PART_INSTALL + chown -R www-data:www-data $CRAFT_PART_INSTALL/{dbg,nginx-ingress-controller,wait-shutdown} + + setcap cap_net_bind_service=+ep $CRAFT_PART_INSTALL/nginx-ingress-controller + setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/nginx-ingress-controller + + # NOTE(aznashwan): dumb-init is a staged package. + # setcap cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/bin/dumb-init + # setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/usr/bin/dumb-init diff --git a/kube-webhook-certgen/v1.4.0/README.md b/kube-webhook-certgen/v1.4.0/README.md new file mode 100644 index 0000000..a3d81c4 --- /dev/null +++ b/kube-webhook-certgen/v1.4.0/README.md @@ -0,0 +1,5 @@ +# ROCK specs for kube-webhook-certgen. + +Aims to be compatible with `registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0`. + +Built from the code/image definitions in the [`images/kube-webhook-certgen`](https://github.com/kubernetes/ingress-nginx/tree/controller-v1.11.0/images/kube-webhook-certgen) subdir. diff --git a/kube-webhook-certgen/v1.4.0/nsswitch.conf b/kube-webhook-certgen/v1.4.0/nsswitch.conf new file mode 100644 index 0000000..2ac4250 --- /dev/null +++ b/kube-webhook-certgen/v1.4.0/nsswitch.conf @@ -0,0 +1,23 @@ +# This file is lifted as-is from the distroless repo from here: +# https://github.com/GoogleContainerTools/distroless/blob/main/base/nsswitch.tar + +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat +group: compat +shadow: compat +gshadow: files + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis + diff --git a/kube-webhook-certgen/v1.4.0/pebble-entrypoint.sh b/kube-webhook-certgen/v1.4.0/pebble-entrypoint.sh new file mode 100755 index 0000000..55b90f9 --- /dev/null +++ b/kube-webhook-certgen/v1.4.0/pebble-entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +set -eux -o pipefail + +# NOTE(aznashwan): the kube-webhook-certgen binary executes extremely +# fast (<1s) which makes Pebble consider it failed and not exiting +# properly after it runs, even if 'on-success: shutdown' is specified, +# so we must create this entrypoint script which sleeps before executing +# the actual entrypoint. +sleep 1.1 + +/kube-webhook-certgen $@ diff --git a/kube-webhook-certgen/v1.4.0/rockcraft.yaml b/kube-webhook-certgen/v1.4.0/rockcraft.yaml new file mode 100644 index 0000000..66fe2aa --- /dev/null +++ b/kube-webhook-certgen/v1.4.0/rockcraft.yaml @@ -0,0 +1,157 @@ +# Copyright 2024 Canonical Ltd. +# See LICENSE file for licensing details. + +# Rockcraft definition for the kube-webhook-certgen:v1.4.0 image: +# registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0 + +name: kube-webhook-certgen +summary: Rock containing kube-webhook-certgen executable. +description: | + Rock containing kube-webhook-certgen executable available at: + https://github.com/kubernetes/ingress-nginx/tree/controller-v1.10.1/images/kube-webhook-certgen +license: Apache-2.0 + +# NOTE(aznashwan): the `kube-webhook-certgen` image is versioned independently +# from the main `nginx-ingress-controller` image, with 'v1.4.0' being the tag +# corresponding to the `controller-v1.10.1` +# https://github.com/kubernetes/ingress-nginx/pull/11033 +# https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.10.0 +version: v1.4.0 + +# NOTE(aznashwan): upstream image is build from `gcr.io/distroless/static:nonroot`: +# https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/kube-webhook-certgen/rootfs/Dockerfile#L27 +# The base `distroless/static:nonroot` image is built using Bazel and is basically +# just a very minimal Debian-based image with a `nonroot` user added to it. +# https://github.com/GoogleContainerTools/distroless/blob/main/base +base: bare +build-base: ubuntu@22.04 +platforms: + amd64: + arm64: + +services: + kube_webhook_certgen: + startup: enabled + override: replace + + # NOTE(aznashwan): simple script which sleeps for 1 second before + # exec-ing the actual kube-webhook-certgen binary: + # https://github.com/canonical/pebble/issues/240#issuecomment-1599722443 + command: busybox sh /pebble-entrypoint.sh [ create ] + + on-success: shutdown + on-failure: shutdown + + user: nonroot + group: nonroot + working-dir: / + +entrypoint-service: kube_webhook_certgen + +parts: + + # NOTE(aznashwan): upstream image is build from `gcr.io/distroless/static:nonroot`: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/kube-webhook-certgen/rootfs/Dockerfile#L27 + # The base `distroless/static:nonroot` image is built using Bazel and is basically + # just a very minimal Debian-based image with a `nonroot` user added to it. + # https://github.com/GoogleContainerTools/distroless/blob/main/base + install-base-packages: + plugin: nil + stage-packages: + - base-files + - netbase + - tzdata + - passwd + - login + # https://github.com/GoogleContainerTools/distroless/blob/a019fc2/base/base.bzl#L118 + - libssl3 + override-build: | + set -eux -o pipefail + + # Manually include nsswitch.conf as seen here: + # https://github.com/GoogleContainerTools/distroless/blob/a019fc2/base/base.bzl#L92 + etc="$CRAFT_PART_INSTALL/etc" + mkdir -p $etc + cp $CRAFT_PROJECT_DIR/nsswitch.conf $etc/nsswitch.conf + + include-busybox-binary: + after: ["install-base-packages"] + plugin: nil + + build-packages: + - busybox-static + + override-build: | + set -eux + + mkdir -p "$CRAFT_PART_INSTALL/bin" + cp $(which busybox) "$CRAFT_PART_INSTALL/bin" + + setup-users: + after: ["install-base-packages"] + plugin: nil + stage-packages: + # NOTE(aznashwan): considering we can't use `overlay-script` when + # using 'base: bare', we need to (re)stage `passwd` here: + - passwd + override-build: | + set -eux -o pipefail + + # https://github.com/GoogleContainerTools/distroless/blob/a019fc2/common/variables.bzl#L17-L19 + ROOT_UID=0 + NONROOT_UID=65532 + NOBODY_UID=65534 + + # root: + groupadd -R $CRAFT_PART_INSTALL -r -g $ROOT_UID root + useradd -R $CRAFT_PART_INSTALL \ + -s /sbin/nologin -d /root --no-log-init -r -m -g $ROOT_UID -u $ROOT_UID root + + # nobody: + groupadd -R $CRAFT_PART_INSTALL -r -g $NOBODY_UID nobody + useradd -R $CRAFT_PART_INSTALL \ + -s /sbin/nologin -d /nonexistent --no-log-init -r -m -g $NOBODY_UID -u $NOBODY_UID nobody + + # nonroot: + NONROOT_HOME="$CRAFT_PART_INSTALL/home/nonroot" + mkdir -p $NONROOT_HOME + + groupadd -R $CRAFT_PART_INSTALL -r -g $NONROOT_UID nonroot + useradd -R $CRAFT_PART_INSTALL \ + -s /sbin/nologin -d $NONROOT_HOME --no-log-init -r -m -g $NONROOT_UID -u $NONROOT_UID nonroot + + chown -R $NONROOT_UID:$NONROOT_UID $NONROOT_HOME + + # Sourced from: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/images/kube-webhook-certgen/rootfs/Dockerfile + build-kube-webhook-certgen: + after: ["setup-users"] + plugin: go + + source-type: git + source: https://github.com/kubernetes/ingress-nginx + source-tag: controller-v1.10.1 + source-depth: 1 + source-subdir: images/kube-webhook-certgen/rootfs/ + + build-environment: + - CGO_ENABLED: 0 + - GOOS: linux + - GOARCH: $CRAFT_ARCH_BUILD_FOR + + build-snaps: + # https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.1/GOLANG_VERSION#L1 + - go/1.22/stable + + override-build: | + set -eux -o pipefail + + cd $CRAFT_PART_SRC/images/kube-webhook-certgen/rootfs + + go mod tidy + go build -a -o kube-webhook-certgen main.go + + cp ./kube-webhook-certgen $CRAFT_PART_INSTALL/kube-webhook-certgen + + cp $CRAFT_PROJECT_DIR/pebble-entrypoint.sh $CRAFT_PART_INSTALL/pebble-entrypoint.sh + chmod +x $CRAFT_PART_INSTALL/pebble-entrypoint.sh diff --git a/kube-webhook-certgen/v1.4.1/nsswitch.conf b/kube-webhook-certgen/v1.4.1/nsswitch.conf index addd493..2ac4250 100644 --- a/kube-webhook-certgen/v1.4.1/nsswitch.conf +++ b/kube-webhook-certgen/v1.4.1/nsswitch.conf @@ -1,4 +1,4 @@ -# This file is lifted as-is from the distrolles repo from here: +# This file is lifted as-is from the distroless repo from here: # https://github.com/GoogleContainerTools/distroless/blob/main/base/nsswitch.tar # diff --git a/kube-webhook-certgen/v1.4.1/pebble-entrypoint.sh b/kube-webhook-certgen/v1.4.1/pebble-entrypoint.sh new file mode 100755 index 0000000..55b90f9 --- /dev/null +++ b/kube-webhook-certgen/v1.4.1/pebble-entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +set -eux -o pipefail + +# NOTE(aznashwan): the kube-webhook-certgen binary executes extremely +# fast (<1s) which makes Pebble consider it failed and not exiting +# properly after it runs, even if 'on-success: shutdown' is specified, +# so we must create this entrypoint script which sleeps before executing +# the actual entrypoint. +sleep 1.1 + +/kube-webhook-certgen $@ diff --git a/kube-webhook-certgen/v1.4.1/rockcraft.yaml b/kube-webhook-certgen/v1.4.1/rockcraft.yaml index a38cd68..e21f5b6 100644 --- a/kube-webhook-certgen/v1.4.1/rockcraft.yaml +++ b/kube-webhook-certgen/v1.4.1/rockcraft.yaml @@ -34,12 +34,20 @@ services: startup: enabled override: replace - command: /kube-webhook-certgen + # NOTE(aznashwan): simple script which sleeps for 1 second before + # exec-ing the actual kube-webhook-certgen binary: + # https://github.com/canonical/pebble/issues/240#issuecomment-1599722443 + command: busybox sh /pebble-entrypoint.sh [ create ] + + on-success: shutdown + on-failure: shutdown user: nonroot group: nonroot working-dir: / +entrypoint-service: kube_webhook_certgen + parts: # NOTE(aznashwan): upstream image is build from `gcr.io/distroless/static:nonroot`: @@ -66,27 +74,18 @@ parts: mkdir -p $etc cp $CRAFT_PROJECT_DIR/nsswitch.conf $etc/nsswitch.conf - include-busybox-debug: + include-busybox-binary: after: ["install-base-packages"] plugin: nil + build-packages: - busybox-static - build-environment: - # NOTE(aznashwan): the upstream dstroless images also have variants with - # BusyBox included to facilitate debugging, which we will conditionally - # include based on this environment variable. - # https://github.com/GoogleContainerTools/distroless/blob/a019fc2/base/base.bzl#L157 - # TODO(aznashwan): set this back to 0: - - DISTROLESS_BUSYBOX_DEBUG: 1 - override-build: | set -eux - if [ "$DISTROLESS_BUSYBOX_DEBUG" -eq "1" ]; then - mkdir -p "$CRAFT_PART_INSTALL/bin" - cp $(which busybox) "$CRAFT_PART_INSTALL/bin" - fi + mkdir -p "$CRAFT_PART_INSTALL/bin" + cp $(which busybox) "$CRAFT_PART_INSTALL/bin" setup-users: after: ["install-base-packages"] @@ -153,3 +152,6 @@ parts: go build -a -o kube-webhook-certgen main.go cp ./kube-webhook-certgen $CRAFT_PART_INSTALL/kube-webhook-certgen + + cp $CRAFT_PROJECT_DIR/pebble-entrypoint.sh $CRAFT_PART_INSTALL/pebble-entrypoint.sh + chmod +x $CRAFT_PART_INSTALL/pebble-entrypoint.sh diff --git a/tests/integration/test_nginx_components_in_helm_chart.py b/tests/integration/test_nginx_components_in_helm_chart.py index 6353580..7572ecd 100644 --- a/tests/integration/test_nginx_components_in_helm_chart.py +++ b/tests/integration/test_nginx_components_in_helm_chart.py @@ -2,13 +2,14 @@ # Copyright 2024 Canonical, Ltd. # +import functools import json import logging import sys import pytest from k8s_test_harness import harness -from k8s_test_harness.util import env_util, platform_util +from k8s_test_harness.util import constants, env_util, k8s_util, platform_util LOG: logging.Logger = logging.getLogger(__name__) @@ -16,16 +17,22 @@ LOG.addHandler(logging.StreamHandler(sys.stdout)) -NGINX_CONTROLLER_VERSIONS = ["v1.11.0"] +NGINX_CONTROLLER_VERSIONS = ["v1.10.1", "v1.11.0"] # NOTE(aznashwan): the `kube-webhook-certgen` image is versioned # separately from the main `nginx-controller` image. NGINX_KUBE_WEBHOOK_CERTGEN_VERSION_MAP = { # https://github.com/kubernetes/ingress-nginx/pull/11212 # https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.0 - "v1.11.0": "v1.4.1" + "v1.11.0": "v1.4.1", + # https://github.com/kubernetes/ingress-nginx/pull/11033 + # https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.10.0 + "v1.10.1": "v1.4.0", } -CHART_RELEASE_URL = "https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.11.1/ingress-nginx-4.11.1.tgz" +# HACK(aznashwan): revert to upstream chart once this PR is included in a release: +# https://github.com/kubernetes/ingress-nginx/pull/11710 +# CHART_RELEASE_URL = "https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.11.1/ingress-nginx-4.11.1.tgz" +CHART_RELEASE_URL = "https://github.com/aznashwan/ingress-nginx/releases/download/helm-chart-4.11.1/ingress-nginx-4.11.1.tgz" INSTALL_NAME = "ingress-nginx" # This mapping indicates which fields of the upstream Nginx-ingress Helm chart @@ -33,13 +40,34 @@ # image URLs and version during testing. # https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml IMAGE_NAMES_TO_CHART_VALUES_OVERRIDES_MAP = { - # TODO(aznashwan): enable this when controller ROCK is ready: - # "controller": "controller", + "controller": "controller", # https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L807 "kube-webhook-certgen": "controller.admissionWebhooks.patch", } +def describe_resources_on_error(resource_type: str): + def _decorator(fun): + @functools.wraps(fun) + def _inner(function_instance: harness.Instance, *args, **kwargs): + try: + return fun(function_instance, *args, **kwargs) + except Exception: + proc = function_instance.exec( + ["k8s", "kubectl", "describe", resource_type], capture_output=True + ) + LOG.info( + f"### All current '{resource_type}' definitions: " + f"{proc.stdout.decode()}" + ) + raise + + return _inner + + return _decorator + + +@describe_resources_on_error("pods") @pytest.mark.parametrize("controller_version", NGINX_CONTROLLER_VERSIONS) def test_nginx_ingress_chart_deployment( function_instance: harness.Instance, controller_version: str @@ -51,12 +79,38 @@ def test_nginx_ingress_chart_deployment( # image fields for each component: all_chart_value_overrides_args = [] - # TODO(aznashwan): enable when nginx rock is ready: - # nginx_rock_info = env_util.get_build_meta_info_for_rock_version( - # "controller", - # controller_version, - # architecture, - # ) + controller_rock_info = env_util.get_build_meta_info_for_rock_version( + "controller", + controller_version, + architecture, + ) + controller_chart_section = IMAGE_NAMES_TO_CHART_VALUES_OVERRIDES_MAP["controller"] + controller_image, controller_tag = controller_rock_info.image.split(":") + controller_registry, controller_image_name = controller_image.split("/", maxsplit=1) + all_chart_value_overrides_args.extend( + [ + "--set", + f"{controller_chart_section}.image.registry={controller_registry}", + "--set", + f"{controller_chart_section}.image.image={controller_image_name}", + "--set", + f"{controller_chart_section}.image.tag={controller_tag}", + "--set", + f"{controller_chart_section}.image.digest=", + ] + ) + # NOTE(aznashwan): Ubuntu has defaults for the IDs of the www-data + # user/group different from the ones set in the upstream repo: + # https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.11.1/charts/ingress-nginx/values.yaml#L34-L35 + www_data_uid = 33 + all_chart_value_overrides_args.extend( + [ + "--set", + f"{controller_chart_section}.image.runAsUser={www_data_uid}", + "--set", + f"{controller_chart_section}.image.runAsGroup={www_data_uid}", + ] + ) certgen_rock_info = env_util.get_build_meta_info_for_rock_version( "kube-webhook-certgen", @@ -68,7 +122,6 @@ def test_nginx_ingress_chart_deployment( ] certgen_image, certgen_tag = certgen_rock_info.image.split(":") certgen_registry, certgen_image_name = certgen_image.split("/", maxsplit=1) - certgen_digest = certgen_tag.split('0')[0] all_chart_value_overrides_args.extend( [ "--set", @@ -78,7 +131,14 @@ def test_nginx_ingress_chart_deployment( "--set", f"{certgen_chart_section}.image.tag={certgen_tag}", "--set", - f"{certgen_chart_section}.image.digest=sha256:{certgen_digest}", + f"{certgen_chart_section}.image.digest=", + ] + ) + # NOTE(aznashwan): admission web hook containers are set to RO: + all_chart_value_overrides_args.extend( + [ + "--set", + "controller.admissionWebhooks.createSecretJob.securityContext.readOnlyRootFilesystem=false", ] ) @@ -101,4 +161,11 @@ def test_nginx_ingress_chart_deployment( function_instance.exec(helm_command) - # TODO(aznashwan): add checks for controller pod and certgen admission hook: + deployment_name = "ingress-nginx-controller" + retry_kwargs = {"retry_times": 30, "retry_delay_s": 10} + k8s_util.wait_for_deployment( + function_instance, + deployment_name, + condition=constants.K8S_CONDITION_AVAILABLE, + **retry_kwargs, + ) diff --git a/tests/sanity/test_controller.py b/tests/sanity/test_controller.py new file mode 100644 index 0000000..3d4bb76 --- /dev/null +++ b/tests/sanity/test_controller.py @@ -0,0 +1,58 @@ +# +# Copyright 2024 Canonical, Ltd. +# + +import logging +import sys + +import pytest +from k8s_test_harness.util import docker_util, env_util, platform_util + +LOG: logging.Logger = logging.getLogger(__name__) + +LOG.addHandler(logging.FileHandler(f"{__name__}.log")) +LOG.addHandler(logging.StreamHandler(sys.stdout)) + + +IMAGE_NAME = "controller" +IMAGE_VERSIONS = ["v1.10.1", "v1.11.0"] + + +@pytest.mark.abort_on_fail +@pytest.mark.parametrize("image_version", IMAGE_VERSIONS) +def test_compare_rock_files_to_original(image_version): + """Test ROCK contains same fileset as original image.""" + + original_image = f"registry.k8s.io/ingress-nginx/{IMAGE_NAME}:{image_version}" + architecture = platform_util.get_current_rockcraft_platform_architecture() + + rock_meta = env_util.get_build_meta_info_for_rock_version( + IMAGE_NAME, image_version, architecture + ) + rock_image = rock_meta.image + + dirs_to_compare = ["/etc/nginx", "/usr/local/nginx", "/opt"] + for dir_to_check in dirs_to_compare: + original_image_files = docker_util.list_files_under_container_image_dir( + original_image, root_dir=dir_to_check + ) + rock_image_files = docker_util.list_files_under_container_image_dir( + rock_image, root_dir=dir_to_check + ) + + rock_fileset = set(rock_image_files) + original_fileset = set(original_image_files) + + original_extra_files = original_fileset - rock_fileset + if original_extra_files: + pytest.fail( + f"Missing some files from the original image: " + f"{original_extra_files}" + ) + + rock_extra_files = rock_fileset - original_fileset + if rock_extra_files: + pytest.fail( + f"Rock has extra files not present in original image: " + f"{rock_extra_files}" + ) diff --git a/tests/sanity/test_kube_webhook_certgen.py b/tests/sanity/test_kube_webhook_certgen.py index 471dbd8..04b26d1 100644 --- a/tests/sanity/test_kube_webhook_certgen.py +++ b/tests/sanity/test_kube_webhook_certgen.py @@ -16,7 +16,7 @@ IMAGE_NAME = "kube-webhook-certgen" -IMAGE_VERSIONS = ["v1.4.1"] +IMAGE_VERSIONS = ["v1.4.0", "v1.4.1"] @pytest.mark.abort_on_fail