diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag index 6ede979d77..ade06168e7 100644 --- a/.github/config/config-gcr-retag +++ b/.github/config/config-gcr-retag @@ -5,8 +5,8 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev # declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") # declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-agent" "-ubi-agent" "-ubi8-agent" "-alpine-fips-agent") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-agent" "-ubi-agent" "-ubi8-agent" "-alpine-fips-agent") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a ADDITIONAL_TAGS=() diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release index ce2f107bf3..ed7928bf8c 100644 --- a/.github/config/config-plus-gcr-release +++ b/.github/config/config-plus-gcr-release @@ -5,8 +5,8 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release # declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") # declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-agent" "-ubi-agent" "-ubi8-agent" "-alpine-fips-agent") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8" "-agent" "-ubi-agent" "-alpine-fips-agent" "-ubi8-agent") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}") diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx index 546c636721..b3de59319e 100644 --- a/.github/config/config-plus-nginx +++ b/.github/config/config-plus-nginx @@ -1,8 +1,8 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress" declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-agent" "-ubi-agent" "-ubi8-agent" "-alpine-fips-agent") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-agent" "-ubi-agent" "-ubi8-agent" "-alpine-fips-agent") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") export PUBLISH_OSS=false diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json index 6e55cd2a0c..57cfd40483 100644 --- a/.github/data/matrix-images-nap.json +++ b/.github/data/matrix-images-nap.json @@ -1,6 +1,7 @@ { "image": [ - "debian-plus-nap" + "debian-plus-nap", + "debian-plus-nap-agent" ], "platforms": [ "linux/amd64" @@ -20,53 +21,107 @@ "platforms": "linux/amd64", "nap_modules": "waf" }, + { + "image": "ubi-8-plus-nap-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, { "image": "ubi-8-plus-nap-v5", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" }, + { + "image": "ubi-8-plus-nap-v5-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, { "image": "ubi-9-plus-nap", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" }, + { + "image": "ubi-9-plus-nap-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, { "image": "ubi-9-plus-nap", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "dos" }, + { + "image": "ubi-9-plus-nap-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "dos" + }, { "image": "ubi-9-plus-nap", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf,dos" }, + { + "image": "ubi-9-plus-nap-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf,dos" + }, { "image": "alpine-plus-nap-fips", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" }, + { + "image": "alpine-plus-nap-fips-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, { "image": "alpine-plus-nap-v5-fips", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" }, + { + "image": "alpine-plus-nap-v5-fips-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, { "image": "debian-plus-nap-v5", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" }, + { + "image": "debian-plus-nap-v5-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, { "image": "ubi-9-plus-nap-v5", "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" + }, + { + "image": "ubi-9-plus-nap-v5-agent", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" } ] } diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index 652492ba7b..ae0bfcceae 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -71,6 +71,14 @@ "nap_modules": "waf", "marker": "agentv2", "platforms": "linux/amd64" + }, + { + "label": "AGENT_V3_NAP 1/1", + "image": "debian-plus-nap-agent", + "type": "plus", + "nap_modules": "waf", + "marker": "agentv3", + "platforms": "linux/amd64" } ], "k8s": [] diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json index 3fd50dce87..b8698caf19 100644 --- a/.github/data/patch-images.json +++ b/.github/data/patch-images.json @@ -112,5 +112,53 @@ "source_os": "ubi", "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "debian-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "ubi-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "ubi8-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "alpine-fips-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", + "source_os": "debian-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", + "source_os": "ubi-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", + "source_os": "ubi8-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", + "source_os": "alpine-fips-agent", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", + "platforms": "linux/amd64" } ] diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index af4f9a814b..81e8b9818c 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -169,7 +169,7 @@ jobs: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap-modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap-modules, 'waf') && '-nap' || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress flavor: | - suffix=${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}} + suffix=${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}${{ contains(inputs.image, 'agent') && '-agent' || '' }} tags: | type=raw,value=${{ inputs.tag }} labels: | diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index d6f13da68f..bdaca1d058 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -62,8 +62,8 @@ jobs: id: image_details run: | echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap-modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap-modules, 'waf') && '-nap' || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}/nginx${{ contains(inputs.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT - echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT - echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}${{ contains(inputs.image, 'agent') && '-agent' || '' }}" >> $GITHUB_OUTPUT + echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}${{ contains(inputs.image, 'agent') && '-agent' || '' }}" >> $GITHUB_OUTPUT - name: Azure login uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 diff --git a/.gitignore b/.gitignore index ee92d1b304..b9b4cbe17f 100644 --- a/.gitignore +++ b/.gitignore @@ -99,6 +99,7 @@ examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml examples/ingress-resources/rate-limit/cafe-secret.yaml examples/ingress-resources/security-monitoring/cafe-secret.yaml +examples/ingress-resources/security-monitoring-v5/cafe-secret.yaml examples/ingress-resources/cors/cafe-secret.yaml examples/ingress-resources/ingress-mtls/cafe-secret.yaml examples/ingress-resources/session-persistence/cafe-secret.yaml diff --git a/Makefile b/Makefile index 85265a6070..a0a5667fa8 100644 --- a/Makefile +++ b/Makefile @@ -9,8 +9,8 @@ NGINX_PLUS_VERSION ?= R37.0 NAP_WAF_VERSION ?= 37.0+5.635 NAP_WAF_COMMON_VERSION ?= 11.665 NAP_WAF_PLUGIN_VERSION ?= 6.29 -NAP_AGENT_VERSION ?= 2 -NGINX_AGENT_VERSION ?= 3 +AGENT_V2_VERSION ?= 2 +AGENT_V3_VERSION ?= 3 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # Variables that can be overridden @@ -185,91 +185,152 @@ build-goreleaser: ## Build Ingress Controller binary using GoReleaser .PHONY: debian-image debian-image: build ## Create Docker image for Ingress Controller (Debian) - $(DOCKER_CMD) --build-arg BUILD_OS=debian --build-arg NGINX_OSS_VERSION=$(NGINX_OSS_VERSION) --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION) + $(DOCKER_CMD) --build-arg BUILD_OS=debian --build-arg NGINX_OSS_VERSION=$(NGINX_OSS_VERSION) --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: alpine-image alpine-image: build ## Create Docker image for Ingress Controller (Alpine) - $(DOCKER_CMD) --build-arg BUILD_OS=alpine --build-arg NGINX_OSS_VERSION=$(NGINX_OSS_VERSION) --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION) + $(DOCKER_CMD) --build-arg BUILD_OS=alpine --build-arg NGINX_OSS_VERSION=$(NGINX_OSS_VERSION) --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: alpine-image-plus alpine-image-plus: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: alpine-image-plus-fips alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus and FIPS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-fips --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-fips --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: alpine-image-nap-plus-fips alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: alpine-image-nap-plus-fips-agent +alpine-image-nap-plus-fips-agent: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF, FIPS and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips-agent --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: alpine-image-nap-v5-plus-fips alpine-image-nap-v5-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAFv5 and FIPS) $(DOCKER_CMD) $(PLUS_ARGS) \ - --build-arg BUILD_OS=alpine-plus-nap-v5-fips --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + --build-arg BUILD_OS=alpine-plus-nap-v5-fips --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: alpine-image-nap-v5-plus-fips-agent +alpine-image-nap-v5-plus-fips-agent: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAFv5, FIPS and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-v5-fips-agent --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: debian-image-plus debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: debian-image-nap-plus debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf \ --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_WAF_PLUGIN_VERSION=$(NAP_WAF_PLUGIN_VERSION) \ - --build-arg NAP_WAF_COMMON_VERSION=$(NAP_WAF_COMMON_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + --build-arg NAP_WAF_COMMON_VERSION=$(NAP_WAF_COMMON_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: debian-image-nap-plus-agent +debian-image-nap-plus-agent: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAF and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-agent --build-arg NAP_MODULES=waf \ + --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_WAF_PLUGIN_VERSION=$(NAP_WAF_PLUGIN_VERSION) \ + --build-arg NAP_WAF_COMMON_VERSION=$(NAP_WAF_COMMON_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: debian-image-nap-v5-plus debian-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAFv5) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-v5 --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ - --build-arg NAP_WAF_PLUGIN_VERSION=$(NAP_WAF_PLUGIN_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + --build-arg NAP_WAF_PLUGIN_VERSION=$(NAP_WAF_PLUGIN_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: debian-image-nap-v5-plus-agent +debian-image-nap-v5-plus-agent: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAFv5 and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-v5-agent --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg NAP_WAF_PLUGIN_VERSION=$(NAP_WAF_PLUGIN_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: debian-image-dos-plus debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect DoS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=dos + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-agent --build-arg NAP_MODULES=dos \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: debian-image-nap-dos-plus debian-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAF and DoS) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf,dos \ --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_WAF_PLUGIN_VERSION=$(NAP_WAF_PLUGIN_VERSION) \ - --build-arg NAP_WAF_COMMON_VERSION=$(NAP_WAF_COMMON_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + --build-arg NAP_WAF_COMMON_VERSION=$(NAP_WAF_COMMON_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: debian-image-nap-dos-plus-agent +debian-image-nap-dos-plus-agent: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAF, DoS and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-agent --build-arg NAP_MODULES=waf,dos \ + --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_WAF_PLUGIN_VERSION=$(NAP_WAF_PLUGIN_VERSION) \ + --build-arg NAP_WAF_COMMON_VERSION=$(NAP_WAF_COMMON_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi-image ubi-image: build ## Create Docker image for Ingress Controller (UBI) - $(DOCKER_CMD) --build-arg BUILD_OS=ubi --build-arg NGINX_OSS_VERSION=$(NGINX_OSS_VERSION) --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION) + $(DOCKER_CMD) --build-arg BUILD_OS=ubi --build-arg NGINX_OSS_VERSION=$(NGINX_OSS_VERSION) --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi-image-plus ubi-image-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-9-plus --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-9-plus --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi-image-nap-plus ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-9-plus-nap \ - --build-arg NAP_MODULES=waf --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap \ + --build-arg NAP_MODULES=waf --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: ubi-image-nap-plus-agent +ubi-image-nap-plus-agent: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap-agent \ + --build-arg NAP_MODULES=waf --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi8-image-nap-plus ubi8-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-8-plus-nap \ - --build-arg NAP_MODULES=waf --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap \ + --build-arg NAP_MODULES=waf --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: ubi8-image-nap-plus-agent +ubi8-image-nap-plus-agent: build ## Create Docker image for Ingress Controller (UBI8 with NGINX Plus, NGINX App Protect WAF and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap-agent \ + --build-arg NAP_MODULES=waf --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi-image-nap-v5-plus ubi-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5) - $(DOCKER_CMD) $(PLUS_ARGS) \ - --build-arg BUILD_OS=ubi-9-plus-nap-v5 --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \ + --build-arg BUILD_OS=ubi-9-plus-nap-v5 --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: ubi-image-nap-v5-plus-agent +ubi-image-nap-v5-plus-agent: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAFv5 and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \ + --build-arg BUILD_OS=ubi-9-plus-nap-v5-agent --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi8-image-nap-v5-plus ubi8-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5) - $(DOCKER_CMD) $(PLUS_ARGS) \ - --build-arg BUILD_OS=ubi-8-plus-nap-v5 --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \ + --build-arg BUILD_OS=ubi-8-plus-nap-v5 --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: ubi8-image-nap-v5-plus-agent +ubi8-image-nap-v5-plus-agent: build ## Create Docker image for Ingress Controller (UBI8 with NGINX Plus, NGINX App Protect WAFv5 and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \ + --build-arg BUILD_OS=ubi-8-plus-nap-v5-agent --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi-image-dos-plus ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect DoS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-9-plus-nap \ - --build-arg NAP_MODULES=dos + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap-agent \ + --build-arg NAP_MODULES=dos --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi-image-nap-dos-plus ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and DoS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-9-plus-nap \ - --build-arg NAP_MODULES=waf,dos --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap \ + --build-arg NAP_MODULES=waf,dos --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) --build-arg AGENT_V2_VERSION=$(AGENT_V2_VERSION) + +.PHONY: ubi-image-nap-dos-plus-agent +ubi-image-nap-dos-plus-agent: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF, DoS and Agent v3) + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap-agent \ + --build-arg NAP_MODULES=waf,dos --build-arg NAP_WAF_VERSION=$(NAP_WAF_VERSION) \ + --build-arg AGENT_V3_VERSION=$(AGENT_V3_VERSION) .PHONY: ubi10-dependency-image-local ubi10-dependency-image-local: ## Build UBI10 dependency image locally (no push). Requires rhel_license. Set PLATFORM=linux/arm64 for arm64 (default: linux/amd64). @@ -279,7 +340,7 @@ ubi10-dependency-image-local: ## Build UBI10 dependency image locally (no push). .PHONY: all-images ## Create all the Docker images for Ingress Controller all-images: docker builder prune -af; \ - images="alpine-image alpine-image-nap-plus-fips alpine-image-nap-v5-plus-fips alpine-image-plus alpine-image-plus-fips debian-image debian-image-dos-plus debian-image-nap-dos-plus debian-image-nap-plus debian-image-nap-v5-plus debian-image-plus ubi-image ubi-image-dos-plus ubi-image-nap-dos-plus ubi-image-nap-plus ubi-image-nap-v5-plus ubi-image-plus ubi8-image-nap-v5-plus"; \ + images="alpine-image alpine-image-nap-plus-fips alpine-image-nap-plus-fips-agent alpine-image-nap-v5-plus-fips alpine-image-nap-v5-plus-fips-agent alpine-image-plus alpine-image-plus-fips debian-image debian-image-dos-plus debian-image-nap-dos-plus debian-image-nap-dos-plus-agent debian-image-nap-plus debian-image-nap-plus-agent debian-image-nap-v5-plus debian-image-nap-v5-plus-agent debian-image-plus ubi-image ubi-image-dos-plus ubi-image-nap-dos-plus ubi-image-nap-dos-plus-agent ubi-image-nap-plus ubi-image-nap-plus-agent ubi-image-nap-v5-plus ubi-image-nap-v5-plus-agent ubi-image-plus ubi8-image-nap-plus-agent ubi8-image-nap-v5-plus ubi8-image-nap-v5-plus-agent"; \ for img in $$images; do \ TAG="$(strip $(TAG))-$$img" make $$img; \ done diff --git a/build/Dockerfile b/build/Dockerfile index f8d21e4de7..7bfbc3a9e6 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,8 +6,8 @@ ARG NGINX_PLUS_VERSION=R37.0 ARG NAP_WAF_VERSION=37.0+5.635 ARG NAP_WAF_COMMON_VERSION=11.665 ARG NAP_WAF_PLUGIN_VERSION=6.29 -ARG NGINX_AGENT_VERSION=3 -ARG NAP_AGENT_VERSION=2 +ARG AGENT_V3_VERSION=3 +ARG AGENT_V2_VERSION=2 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -15,7 +15,7 @@ ARG IMAGE_NAME=nginx/nginx-ingress ARG PACKAGE_REPO=pkgs.nginx.com -############################################# Base images containing libs for FIPS ############################################# +############################################# External dependency images ############################################# ARG UBI8_PACKAGES_IMAGE=ghcr.io/nginx/dependencies/nginx-ubi:ubi8@sha256:734dfa9dc40945e052760f9d9d327b74e6ccb75097cc834a61d9cf77c78b48e8 ARG UBI9_PACKAGES_IMAGE=ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:0c571ec12a92518253bb8726a830ba6f4f44ba0e55bc0716ea96db1df4d182df FROM ${UBI8_PACKAGES_IMAGE} AS ubi8-packages @@ -24,7 +24,7 @@ FROM ghcr.io/nginx/alpine-fips:0.5.0-alpine3.22@sha256:f907d7541ab03453fd7d630dc FROM redhat/ubi9-minimal:9.7-1778562320@sha256:12db9874bd753eb98b1ab3d840e75de5d6842ac0604fbd68c012adefe97140be AS ubi-minimal FROM golang:1.26.3-alpine@sha256:3a8f055e02fce9585d5e4ab5135d57f2e1a947a16e2a7e6a71a78e770c169e9b AS golang-builder -############################################# NGINX files ############################################# +############################################# NGINX repo keys, .repo files, and helper scripts ############################################# FROM scratch AS nginx-files ARG IC_VERSION ARG BUILD_OS @@ -93,11 +93,14 @@ RUN --mount=type=bind,from=nginx-files,src=patch-os.sh,target=/usr/local/bin/pat USER 101 -############################################# Base image for Alpine ############################################# +############################################# NGINX OSS on Alpine Linux ############################################# +# Base: nginx:1.31.0-alpine3.23 (official NGINX OSS Alpine image, OSS pre-installed) +# Adds: nginx-module-otel + nginx-agent v3 +# Used as: BUILD_OS=alpine FROM nginx:1.31.0-alpine3.23@sha256:dc48b7a872a79fb541ba5081d320b11b549231bc63ba465a7495afaa7d2ebcb8 AS alpine ARG PACKAGE_REPO ARG NGINX_OSS_VERSION -ARG NGINX_AGENT_VERSION +ARG AGENT_V3_VERSION RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ --mount=type=bind,from=nginx-files,src=user_agent,target=/tmp/user_agent \ @@ -106,16 +109,19 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk && export $(cat /tmp/user_agent) \ && printf "%s%s%s\n" "http://packages.nginx.org/nginx/mainline/alpine/v" `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` "/main" >> /etc/apk/repositories \ && printf "%s%s%s\n" "http://packages.nginx.org/nginx-agent/alpine/v" `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` "/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-module-otel~${NGINX_OSS_VERSION} nginx-agent~${NGINX_AGENT_VERSION} \ + && apk add --no-cache nginx-module-otel~${NGINX_OSS_VERSION} nginx-agent~${AGENT_V3_VERSION} \ && ldconfig /usr/local/lib/ \ && agent.sh \ && sed -i -e '/nginx.org/d' /etc/apk/repositories -############################################# Base image for Debian ############################################# +############################################# NGINX OSS on Debian 13 ############################################# +# Base: nginx:1.31.0 (official NGINX OSS Debian image, OSS pre-installed) +# Adds: nginx-module-otel + nginx-agent v3 +# Used as: BUILD_OS=debian (default) FROM nginx:1.31.0@sha256:06aa3d7be10bc6307990c81bdca075793132e9163391abc370c015e344e23128 AS debian ARG NGINX_OSS_VERSION -ARG NGINX_AGENT_VERSION +ARG AGENT_V3_VERSION RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ @@ -131,18 +137,21 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s && printf "%s" "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" > /etc/apt/preferences.d/99nginx \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y \ - nginx-agent=${NGINX_AGENT_VERSION}* \ + nginx-agent=${AGENT_V3_VERSION}* \ nginx-module-otel=${NGINX_OSS_VERSION}* \ && apt-get purge --auto-remove -y gpg \ && rm -rf /var/lib/apt/lists/* /etc/apt/preferences.d/99nginx /etc/apt/sources.list.d/nginx.list \ && agent.sh -############################################# Base image for UBI ############################################# +############################################# NGINX OSS on Red Hat UBI 9 ############################################# +# Base: ubi-minimal (Red Hat UBI 9 minimal) +# Adds: nginx + nginx-module-njs/otel/image-filter/xslt + nginx-agent v3 +# Used as: BUILD_OS=ubi FROM ubi-minimal AS ubi ARG IC_VERSION ARG NGINX_OSS_VERSION -ARG NGINX_AGENT_VERSION +ARG AGENT_V3_VERSION LABEL name="NGINX Ingress Controller" \ maintainer="kubernetes@nginx.com" \ @@ -176,15 +185,18 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s && printf "%s\n" "[agent]" "name=agent repo" \ "baseurl=https://packages.nginx.org/nginx-agent/centos/9/\$basearch/" \ "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \ - && microdnf --nodocs install -y nginx-${NGINX_OSS_VERSION}* nginx-module-njs-${NGINX_OSS_VERSION}* nginx-module-otel-${NGINX_OSS_VERSION}* nginx-module-image-filter-${NGINX_OSS_VERSION}* nginx-module-xslt-${NGINX_OSS_VERSION}* nginx-agent-${NGINX_AGENT_VERSION}* \ + && microdnf --nodocs install -y nginx-${NGINX_OSS_VERSION}* nginx-module-njs-${NGINX_OSS_VERSION}* nginx-module-otel-${NGINX_OSS_VERSION}* nginx-module-image-filter-${NGINX_OSS_VERSION}* nginx-module-xslt-${NGINX_OSS_VERSION}* nginx-agent-${AGENT_V3_VERSION}* \ && rm /etc/yum.repos.d/nginx.repo \ && ubi-clean.sh -############################################# Base image for Alpine with NGINX Plus ############################################## +############################################# NGINX Plus + Agent v3 on Alpine Linux ############################################# +# Base: alpine:3.22 +# Adds: nginx-plus, nginx-plus-module-njs/otel/fips-check, nginx-agent v3, tracking.info +# Used as: BUILD_OS=alpine-plus FROM alpine:3.22@sha256:310c62b5e7ca5b08167e4384c68db0fd2905dd9c7493756d356e893909057601 AS alpine-plus ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO -ARG NGINX_AGENT_VERSION +ARG AGENT_V3_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -197,13 +209,16 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ export $(cat /tmp/user_agent) \ && printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent~${NGINX_AGENT_VERSION} libcap libcurl \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent~${AGENT_V3_VERSION} libcap libcurl \ && mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && agent.sh \ && sed -i -e '/nginx.com/d' /etc/apk/repositories -############################################# Base image for Alpine with NGINX Plus and FIPS ############################################# +############################################# NGINX Plus + FIPS + Agent v3 on Alpine Linux ############################################# +# Base: alpine-plus (NGINX Plus + Agent v3) +# Adds: OpenSSL FIPS provider from alpine-fips-3.22 (fips.so, fipsmodule.cnf, openssl.cnf) +# Used as: BUILD_OS=alpine-plus-fips FROM alpine-plus AS alpine-plus-fips ARG NGINX_PLUS_VERSION @@ -218,12 +233,14 @@ RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info -############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# -FROM alpine:3.22@sha256:310c62b5e7ca5b08167e4384c68db0fd2905dd9c7493756d356e893909057601 AS alpine-plus-nap-fips +############################################# Intermediate image — NGINX Plus + App Protect WAF v4 + FIPS on Alpine ############################################# +# Base: alpine:3.22 (fresh — does not extend alpine-plus, keeps agent layer separate) +# Installs: nginx-plus, app-protect (NAP WAF v4), attack-signatures, FIPS provider +# Extended: alpine-plus-nap-fips (Agent v2) • alpine-plus-nap-fips-agent (Agent v3) +FROM alpine:3.22@sha256:310c62b5e7ca5b08167e4384c68db0fd2905dd9c7493756d356e893909057601 AS alpine-plus-nap-fips-base ARG NGINX_PLUS_VERSION ARG NAP_WAF_VERSION ARG PACKAGE_REPO -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -232,15 +249,12 @@ RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \ --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.rsa.pub,target=/etc/apk/keys/app-protect-security-updates.rsa.pub \ --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -252,16 +266,53 @@ RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \ app-protect-attack-signatures \ app-protect-threat-campaigns \ && sed -i -e '/nginx.com/d' /etc/apk/repositories \ - && nap-waf.sh \ - agent.sh + && nap-waf.sh + + +############################################# NGINX Plus + App Protect WAF v4 + FIPS + Agent v2 on Alpine ############################################# +# Base: alpine-plus-nap-fips-base (NGINX Plus + NAP WAF v4 + FIPS) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=alpine-plus-nap-fips +FROM alpine-plus-nap-fips-base AS alpine-plus-nap-fips +ARG AGENT_V2_VERSION +ARG PACKAGE_REPO + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-agent~${AGENT_V2_VERSION} \ + && sed -i -e '/nginx.com/d' /etc/apk/repositories \ + && agent.sh -############################################# Base image for Alpine with NGINX Plus, App Protect WAFv5 and FIPS ############################################# -FROM alpine:3.22@sha256:310c62b5e7ca5b08167e4384c68db0fd2905dd9c7493756d356e893909057601 AS alpine-plus-nap-v5-fips +############################################# NGINX Plus + App Protect WAF v4 + FIPS + Agent v3 on Alpine ############################################# +# Base: alpine-plus-nap-fips-base (NGINX Plus + NAP WAF v4 + FIPS) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=alpine-plus-nap-fips-agent +FROM alpine-plus-nap-fips-base AS alpine-plus-nap-fips-agent +ARG AGENT_V3_VERSION +ARG PACKAGE_REPO + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-agent~${AGENT_V3_VERSION} \ + && sed -i -e '/nginx.com/d' /etc/apk/repositories \ + && agent.sh + + +############################################# Intermediate image — NGINX Plus + App Protect WAF v5 + FIPS on Alpine ############################################# +# Base: alpine:3.22 (fresh — does not extend alpine-plus, keeps agent layer separate) +# Installs: nginx-plus, app-protect-module-plus (NAP WAF v5), FIPS provider +# Extended: alpine-plus-nap-v5-fips (Agent v2) • alpine-plus-nap-v5-fips-agent (Agent v3) +FROM alpine:3.22@sha256:310c62b5e7ca5b08167e4384c68db0fd2905dd9c7493756d356e893909057601 AS alpine-plus-nap-v5-fips-base ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO ARG NAP_WAF_VERSION -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -269,14 +320,11 @@ RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \ --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -285,11 +333,49 @@ RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && apk add --no-cache app-protect-module-plus~=${NAP_WAF_VERSION/+/.} \ && sed -i -e '/nginx.com/d' /etc/apk/repositories \ - && nap-waf.sh \ - agent.sh + && nap-waf.sh -############################################# Base image for Debian with NGINX Plus only ############################################# +############################################# NGINX Plus + App Protect WAF v5 + FIPS + Agent v2 on Alpine ############################################# +# Base: alpine-plus-nap-v5-fips-base (NGINX Plus + NAP WAF v5 + FIPS) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=alpine-plus-nap-v5-fips +FROM alpine-plus-nap-v5-fips-base AS alpine-plus-nap-v5-fips +ARG AGENT_V2_VERSION +ARG PACKAGE_REPO + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-agent~${AGENT_V2_VERSION} \ + && sed -i -e '/nginx.com/d' /etc/apk/repositories \ + && agent.sh + + +############################################# NGINX Plus + App Protect WAF v5 + FIPS + Agent v3 on Alpine ############################################# +# Base: alpine-plus-nap-v5-fips-base (NGINX Plus + NAP WAF v5 + FIPS) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=alpine-plus-nap-v5-fips-agent +FROM alpine-plus-nap-v5-fips-base AS alpine-plus-nap-v5-fips-agent +ARG AGENT_V3_VERSION +ARG PACKAGE_REPO + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-agent~${AGENT_V3_VERSION} \ + && sed -i -e '/nginx.com/d' /etc/apk/repositories \ + && agent.sh + + +############################################# Intermediate image — NGINX Plus on Debian 13 (Trixie) ############################################# +# Base: debian:13-slim +# Installs: nginx-plus, nginx-plus-module-njs/otel/fips-check, libcap2-bin, libcurl4 +# Extended: debian-plus (Agent v3) • debian-plus-nap-base • debian-plus-nap-v5-base FROM debian:13-slim@sha256:109e2c65005bf160609e4ba6acf7783752f8502ad218e298253428690b9eaa4b AS debian-plus-only ARG NGINX_PLUS_VERSION @@ -321,7 +407,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus ############################################# FROM debian-plus-only AS debian-plus ARG NGINX_PLUS_VERSION -ARG NGINX_AGENT_VERSION +ARG AGENT_V3_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -334,18 +420,20 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode apt-get update \ && cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${NGINX_AGENT_VERSION}* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${AGENT_V3_VERSION}* \ && agent.sh \ && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-agent.sources -############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS ############################################# -FROM debian-plus-only AS debian-plus-nap +############################################# Intermediate image — NGINX Plus + App Protect WAF/DoS v4 on Debian 13 (Trixie) ############################################# +# Base: debian-plus-only (NGINX Plus) +# Installs: app-protect (NAP WAF/DoS v4), app-protect-ip-intelligence, attack-signatures +# Extended: debian-plus-nap (Agent v2) • debian-plus-nap-agent (Agent v3) +FROM debian-plus-only AS debian-plus-nap-base ARG NAP_MODULES ARG NGINX_PLUS_VERSION ARG NAP_WAF_VERSION ARG NAP_WAF_COMMON_VERSION ARG NAP_WAF_PLUGIN_VERSION -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -354,13 +442,10 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ --mount=type=bind,from=nginx-files,src=nap-waf-13.sources,target=/tmp/app-protect.sources \ --mount=type=bind,from=nginx-files,src=nap-dos-13.sources,target=/tmp/app-protect-dos.sources \ - --mount=type=bind,from=nginx-files,src=debian-agent-13.sources,target=/tmp/nginx-agent.sources \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=nap-dos.sh,target=/usr/local/bin/nap-dos.sh \ if [ -z "${NAP_MODULES##*waf*}" ]; then \ cp /tmp/app-protect.sources /etc/apt/sources.list.d/app-protect.sources \ - && cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y app-protect=${NAP_WAF_VERSION}* \ nginx-plus-module-appprotect=${NAP_WAF_VERSION}* \ @@ -371,10 +456,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode app-protect-ip-intelligence \ app-protect-attack-signatures \ app-protect-threat-campaigns \ - nginx-agent=${NAP_AGENT_VERSION}.* \ - && rm -f /etc/apt/sources.list.d/app-protect.sources /etc/apt/sources.list.d/nginx-agent.sources \ - && nap-waf.sh \ - && agent.sh; \ + && rm -f /etc/apt/sources.list.d/app-protect.sources \ + && nap-waf.sh; \ fi \ && if [ -z "${NAP_MODULES##*dos*}" ]; then \ cp /tmp/app-protect-dos.sources /etc/apt/sources.list.d/app-protect-dos.sources \ @@ -385,12 +468,14 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode fi \ && rm -rf /var/lib/apt/lists/* -############################################# Base image for Debian with NGINX Plus and App Protect WAFv5 ############################################# -FROM debian-plus-only AS debian-plus-nap-v5 +############################################# Intermediate image — NGINX Plus + App Protect WAF v5 on Debian 13 ############################################# +# Base: debian-plus-only (NGINX Plus) +# Installs: app-protect-module-plus (NAP WAF v5), nginx-plus-module-appprotect +# Extended: debian-plus-nap-v5 (Agent v2) • debian-plus-nap-v5-agent (Agent v3) +FROM debian-plus-only AS debian-plus-nap-v5-base ARG NGINX_PLUS_VERSION ARG NAP_WAF_VERSION ARG NAP_WAF_PLUGIN_VERSION -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -398,48 +483,94 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ --mount=type=bind,from=nginx-files,src=nap-waf-v5-13.sources,target=/etc/apt/sources.list.d/app-protect.sources \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ - --mount=type=bind,from=nginx-files,src=debian-agent-13.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \ apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${NAP_AGENT_VERSION}.* app-protect-module-plus=${NAP_WAF_VERSION}* nginx-plus-module-appprotect=${NAP_WAF_VERSION}* app-protect-plugin=${NAP_WAF_PLUGIN_VERSION}* \ - && nap-waf.sh \ + && apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=${NAP_WAF_VERSION}* nginx-plus-module-appprotect=${NAP_WAF_VERSION}* app-protect-plugin=${NAP_WAF_PLUGIN_VERSION}* \ + && nap-waf.sh + + +############################################# NGINX Plus + App Protect WAF/DoS v4 + Agent v2 on Debian 13 ############################################# +# Base: debian-plus-nap-base (NGINX Plus + NAP WAF/DoS v4) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=debian-plus-nap +FROM debian-plus-nap-base AS debian-plus-nap +ARG AGENT_V2_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ + --mount=type=bind,from=nginx-files,src=debian-agent-13.sources,target=/tmp/nginx-agent.sources \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${AGENT_V2_VERSION}.* \ + && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-agent.sources \ && agent.sh +############################################# NGINX Plus + App Protect WAF/DoS v4 + Agent v3 on Debian 13 ############################################# +# Base: debian-plus-nap-base (NGINX Plus + NAP WAF/DoS v4) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=debian-plus-nap-agent +FROM debian-plus-nap-base AS debian-plus-nap-agent +ARG AGENT_V3_VERSION -############################################# Base image for UBI with NGINX Plus ############################################# -FROM ubi-minimal AS ubi-9-plus -ARG NGINX_PLUS_VERSION -ARG NGINX_AGENT_VERSION +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ + --mount=type=bind,from=nginx-files,src=debian-agent-13.sources,target=/tmp/nginx-agent.sources \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${AGENT_V3_VERSION}* \ + && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-agent.sources \ + && agent.sh -ENV NGINX_VERSION=${NGINX_PLUS_VERSION} +############################################# NGINX Plus + App Protect WAF v5 + Agent v2 on Debian 13 ############################################# +# Base: debian-plus-nap-v5-base (NGINX Plus + NAP WAF v5) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=debian-plus-nap-v5 +FROM debian-plus-nap-v5-base AS debian-plus-nap-v5 +ARG AGENT_V2_VERSION -SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ - --mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \ - --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \ - --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \ - --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ + --mount=type=bind,from=nginx-files,src=debian-agent-13.sources,target=/tmp/nginx-agent.sources \ --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ - --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ - --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ - mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ - && ubi-setup.sh \ - && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NGINX_AGENT_VERSION}.* \ - && agent.sh \ - && ubi-clean.sh + cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${AGENT_V2_VERSION}.* \ + && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-agent.sources \ + && agent.sh + +############################################# NGINX Plus + App Protect WAF v5 + Agent v3 on Debian 13 ############################################# +# Base: debian-plus-nap-v5-base (NGINX Plus + NAP WAF v5) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=debian-plus-nap-v5-agent +FROM debian-plus-nap-v5-base AS debian-plus-nap-v5-agent +ARG AGENT_V3_VERSION -############################################# Base image for UBI with NGINX Plus and App Protect WAF & DoS ############################################# -FROM ubi-minimal AS ubi-9-plus-nap +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ + --mount=type=bind,from=nginx-files,src=debian-agent-13.sources,target=/tmp/nginx-agent.sources \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${AGENT_V3_VERSION}* \ + && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-agent.sources \ + && agent.sh + + +############################################# Intermediate image — NGINX Plus + App Protect WAF/DoS v4 on Red Hat UBI 9 ############################################# +# Base: ubi-minimal (Red Hat UBI 9 minimal) +# Installs: nginx-plus, app-protect (NAP WAF/DoS v4), app-protect-ip-intelligence, attack-signatures +# Extended: ubi-9-plus-nap (Agent v2) • ubi-9-plus-nap-agent (Agent v3) +FROM ubi-minimal AS ubi-9-plus-nap-base ARG NAP_MODULES -ARG BUILD_OS ARG NGINX_PLUS_VERSION ARG NAP_WAF_VERSION -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -447,21 +578,19 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \ - --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ --mount=type=bind,from=nginx-files,src=app-protect-9.repo,target=/tmp/app-protect-9.repo \ --mount=type=bind,from=nginx-files,src=app-protect-dos-9.repo,target=/tmp/app-protect-dos-9.repo \ --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=nap-dos.sh,target=/usr/local/bin/nap-dos.sh \ --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \ - --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ + --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && ubi-setup.sh \ && printf '[local-deps]\nname=Local UBI Deps\nbaseurl=file:///ubi-bin\nenabled=1\ngpgcheck=0\n' > /etc/yum.repos.d/local-deps.repo \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}.* \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ rpm --import /tmp/app-protect-security-updates.key \ && cp /tmp/app-protect-9.repo /etc/yum.repos.d/app-protect-9.repo \ @@ -471,8 +600,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode app-protect-attack-signatures \ app-protect-threat-campaigns \ && rm -f /etc/yum.repos.d/app-protect-9.repo \ - && nap-waf.sh \ - && agent.sh; \ + && nap-waf.sh; \ fi \ && if [ -z "${NAP_MODULES##*dos*}" ]; then \ cp /tmp/app-protect-dos-9.repo /etc/yum.repos.d/app-protect-dos-9.repo \ @@ -484,11 +612,13 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && ubi-clean.sh -############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 ############################################# -FROM ubi-minimal AS ubi-9-plus-nap-v5 +############################################# Intermediate image — NGINX Plus + App Protect WAF v5 on Red Hat UBI 9 ############################################# +# Base: ubi-minimal (Red Hat UBI 9 minimal) +# Installs: nginx-plus, app-protect-module-plus (NAP WAF v5) +# Extended: ubi-9-plus-nap-v5 (Agent v2) • ubi-9-plus-nap-v5-agent (Agent v3) +FROM ubi-minimal AS ubi-9-plus-nap-v5-base ARG NGINX_PLUS_VERSION ARG NAP_WAF_VERSION -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -496,10 +626,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \ - --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ --mount=type=bind,from=nginx-files,src=app-protect-v5-9.repo,target=/etc/yum.repos.d/app-protect-9.repo \ --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \ --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ @@ -510,18 +638,112 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ && microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \ - && microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}.* app-protect-module-plus-${NAP_WAF_VERSION}* \ + && microdnf --nodocs install -y nginx-plus-module-otel app-protect-module-plus-${NAP_WAF_VERSION}* \ && nap-waf.sh \ - && ubi-clean.sh \ + && ubi-clean.sh + + +############################################# NGINX Plus + Agent v3 on Red Hat UBI 9 ############################################# +# Base: ubi-minimal (Red Hat UBI 9 minimal) +# Adds: nginx-plus, nginx-plus-module-njs/otel/fips-check, nginx-agent v3 +# Used as: BUILD_OS=ubi-9-plus +FROM ubi-minimal AS ubi-9-plus +ARG NGINX_PLUS_VERSION +ARG AGENT_V3_VERSION + +ENV NGINX_VERSION=${NGINX_PLUS_VERSION} + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \ + --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \ + --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ + --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ + mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ + && ubi-setup.sh \ + && rpm -Uvh /ubi-bin/c-ares-*.rpm \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${AGENT_V3_VERSION}.* \ + && agent.sh \ + && ubi-clean.sh + + +############################################# NGINX Plus + App Protect WAF/DoS v4 + Agent v2 on Red Hat UBI 9 ############################################# +# Base: ubi-9-plus-nap-base (NGINX Plus + NAP WAF/DoS v4) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=ubi-9-plus-nap +FROM ubi-9-plus-nap-base AS ubi-9-plus-nap +ARG AGENT_V2_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + microdnf --nodocs install -y nginx-agent-${AGENT_V2_VERSION}.* \ + && microdnf clean all \ + && agent.sh + + +############################################# NGINX Plus + App Protect WAF/DoS v4 + Agent v3 on Red Hat UBI 9 ############################################# +# Base: ubi-9-plus-nap-base (NGINX Plus + NAP WAF/DoS v4) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=ubi-9-plus-nap-agent +FROM ubi-9-plus-nap-base AS ubi-9-plus-nap-agent +ARG AGENT_V3_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + microdnf --nodocs install -y nginx-agent-${AGENT_V3_VERSION}.* \ + && microdnf clean all \ + && agent.sh + + +############################################# NGINX Plus + App Protect WAF v5 + Agent v2 on Red Hat UBI 9 ############################################# +# Base: ubi-9-plus-nap-v5-base (NGINX Plus + NAP WAF v5) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=ubi-9-plus-nap-v5 +FROM ubi-9-plus-nap-v5-base AS ubi-9-plus-nap-v5 +ARG AGENT_V2_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + microdnf --nodocs install -y nginx-agent-${AGENT_V2_VERSION}.* \ + && microdnf clean all \ && agent.sh -############################################# Base image for UBI8 with NGINX Plus and App Protect WAF ############################################# -FROM redhat/ubi8@sha256:1551c9a922dbb31c5688380fd955ef57f0f00b395bacb36856bc386eba82897b AS ubi-8-plus-nap +############################################# NGINX Plus + App Protect WAF v5 + Agent v3 on Red Hat UBI 9 ############################################# +# Base: ubi-9-plus-nap-v5-base (NGINX Plus + NAP WAF v5) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=ubi-9-plus-nap-v5-agent +FROM ubi-9-plus-nap-v5-base AS ubi-9-plus-nap-v5-agent +ARG AGENT_V3_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + microdnf --nodocs install -y nginx-agent-${AGENT_V3_VERSION}.* \ + && microdnf clean all \ + && agent.sh + + +############################################# NGINX Plus + App Protect WAF v4 on Red Hat UBI 8 ############################################# +# Base: redhat/ubi8 +# Installs: nginx-plus, app-protect (NAP WAF v4), app-protect-ip-intelligence, attack-signatures +# Extended: ubi-8-plus-nap (Agent v2) • ubi-8-plus-nap-agent (Agent v3) +FROM redhat/ubi8@sha256:1551c9a922dbb31c5688380fd955ef57f0f00b395bacb36856bc386eba82897b AS ubi-8-plus-nap-base ARG NGINX_PLUS_VERSION ARG NAP_WAF_VERSION ARG BUILD_OS -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -529,11 +751,9 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx-plus-8.repo,target=/etc/yum.repos.d/nginx-plus.repo,rw \ - --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/etc/yum.repos.d/app-protect-8.repo \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ --mount=type=bind,from=ubi8-packages,src=/,target=/ubi-bin/ \ mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ @@ -542,22 +762,23 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import /tmp/nginx_signing.key \ && rpm --import /tmp/app-protect-security-updates.key \ && printf '[local-deps]\nname=Local UBI Deps\nbaseurl=file:///ubi-bin\nenabled=1\ngpgcheck=0\n' > /etc/yum.repos.d/local-deps.repo \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}.* \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ && dnf --nodocs install -y app-protect-${NAP_WAF_VERSION}* \ - app-protect-ip-intelligence \ - app-protect-attack-signatures \ - app-protect-threat-campaigns \ + app-protect-ip-intelligence \ + app-protect-attack-signatures \ + app-protect-threat-campaigns \ && nap-waf.sh \ - && agent.sh \ && rm -f /etc/yum.repos.d/local-deps.repo \ && dnf clean all -############################################# Base image for UBI8 with NGINX Plus and App Protect WAFv5 ############################################# -FROM redhat/ubi8@sha256:1551c9a922dbb31c5688380fd955ef57f0f00b395bacb36856bc386eba82897b AS ubi-8-plus-nap-v5 +############################################# Intermediate image — NGINX Plus + App Protect WAF v5 on Red Hat UBI 8 ############################################# +# Base: redhat/ubi8 +# Installs: nginx-plus, app-protect-module-plus (NAP WAF v5) +# Extended: ubi-8-plus-nap-v5 (Agent v2) • ubi-8-plus-nap-v5-agent (Agent v3) +FROM redhat/ubi8@sha256:1551c9a922dbb31c5688380fd955ef57f0f00b395bacb36856bc386eba82897b AS ubi-8-plus-nap-v5-base ARG NGINX_PLUS_VERSION ARG NAP_WAF_VERSION -ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -565,10 +786,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx-plus-8.repo,target=/etc/yum.repos.d/nginx-plus.repo,rw \ - --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ --mount=type=bind,from=nginx-files,src=app-protect-v5-8.repo,target=/etc/yum.repos.d/app-protect-8.repo \ --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ - --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ --mount=type=bind,from=ubi8-packages,src=/,target=/ubi-bin/ \ mkdir -p /etc/nginx/reporting/ \ @@ -577,14 +796,77 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ && rpm --import /tmp/nginx_signing.key \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}.* \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ && dnf --nodocs install -y app-protect-module-plus-${NAP_WAF_VERSION}* \ && nap-waf.sh \ - && agent.sh \ && dnf clean all -############################################# Create common files, permissions and setcap ############################################# +############################################# NGINX Plus + App Protect WAF v4 + Agent v2 on Red Hat UBI 8 ############################################# +# Base: ubi-8-plus-nap-base (NGINX Plus + NAP WAF v4) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=ubi-8-plus-nap +FROM ubi-8-plus-nap-base AS ubi-8-plus-nap +ARG AGENT_V2_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + dnf --nodocs install -y nginx-agent-${AGENT_V2_VERSION}.* \ + && dnf clean all \ + && agent.sh + + +############################################# NGINX Plus + App Protect WAF v4 + Agent v3 on Red Hat UBI 8 ############################################# +# Base: ubi-8-plus-nap-base (NGINX Plus + NAP WAF v4) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=ubi-8-plus-nap-agent +FROM ubi-8-plus-nap-base AS ubi-8-plus-nap-agent +ARG AGENT_V3_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + dnf --nodocs install -y nginx-agent-${AGENT_V3_VERSION}.* \ + && dnf clean all \ + && agent.sh + + +############################################# NGINX Plus + App Protect WAF v5 + Agent v2 on Red Hat UBI 8 ############################################# +# Base: ubi-8-plus-nap-v5-base (NGINX Plus + NAP WAF v5) +# Adds: nginx-agent v2 +# Used as: BUILD_OS=ubi-8-plus-nap-v5 +FROM ubi-8-plus-nap-v5-base AS ubi-8-plus-nap-v5 +ARG AGENT_V2_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + dnf --nodocs install -y nginx-agent-${AGENT_V2_VERSION}.* \ + && dnf clean all \ + && agent.sh + + +############################################# NGINX Plus + App Protect WAF v5 + Agent v3 on Red Hat UBI 8 ############################################# +# Base: ubi-8-plus-nap-v5-base (NGINX Plus + NAP WAF v5) +# Adds: nginx-agent v3 +# Used as: BUILD_OS=ubi-8-plus-nap-v5-agent +FROM ubi-8-plus-nap-v5-base AS ubi-8-plus-nap-v5-agent +ARG AGENT_V3_VERSION + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \ + --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \ + dnf --nodocs install -y nginx-agent-${AGENT_V3_VERSION}.* \ + && dnf clean all \ + && agent.sh + + +############################################# common — final shared configuration for all image variants ############################################# FROM ${BUILD_OS} AS common ARG BUILD_OS @@ -616,7 +898,7 @@ LABEL org.opencontainers.image.version="${IC_VERSION}" \ org.nginx.kic.image.build.nginx.version="${NGINX_VERSION}" -############################################# Build nginx-ingress in golang container ############################################# +############################################# builder — compiles nginx-ingress for production ############################################# FROM golang-builder AS builder ARG IC_VERSION ARG TARGETARCH @@ -631,7 +913,7 @@ RUN --mount=type=bind,target=/go/src/github.com/nginx/kubernetes-ingress/ --moun && setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -############################################# Download delve ############################################# +############################################# debug-builder — compiles nginx-ingress without optimisations and installs Delve ############################################# FROM golang-builder AS debug-builder ARG TARGETARCH @@ -644,7 +926,7 @@ RUN --mount=type=bind,target=/go/src/github.com/nginx/kubernetes-ingress/ --moun RUN CGO_ENABLED=0 go install -ldflags "-s -w -extldflags '-static'" github.com/go-delve/delve/cmd/dlv@latest -############################################# Create image with nginx-ingress built in container ############################################# +############################################# container — binary from builder stage ############################################# FROM common AS container LABEL org.nginx.kic.image.build.version="container" @@ -652,7 +934,7 @@ LABEL org.nginx.kic.image.build.version="container" COPY --link --from=builder --chown=101:0 /nginx-ingress / -############################################# Create image with nginx-ingress built locally ############################################# +############################################# local — host-compiled binary into common ############################################# FROM common AS local ARG BUILD_OS ENV BUILD_OS=${BUILD_OS} @@ -675,7 +957,7 @@ RUN --mount=type=bind,target=/tmp if [ -z "${BUILD_OS##*plus*}" ]; then PLUS=-pl USER 101 -############################################# Create image with nginx-ingress built locally ############################################# +############################################# debug — host binary + Delve, entrypoint /dlv ############################################# FROM common AS debug LABEL org.nginx.kic.image.build.version="local" @@ -698,7 +980,7 @@ USER 101 ENTRYPOINT ["/dlv"] -############################################# Create image with nginx-ingress built locally ############################################# +############################################# debug-container — Docker binary + Delve, entrypoint /dlv ############################################# FROM common AS debug-container LABEL org.nginx.kic.image.build.version="local" @@ -721,7 +1003,7 @@ USER 101 ENTRYPOINT ["/dlv"] -############################################# Create image with nginx-ingress built locally & using prebuilt base image ############################################# +############################################# local-prebuilt — host binary into pre-downloaded base image ############################################# FROM ${PREBUILT_BASE_IMG} AS local-prebuilt ARG BUILD_OS @@ -739,8 +1021,7 @@ RUN --mount=type=bind,target=/tmp [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp USER 101 -############################################# Builder style stage to avoid duplicate layers for ingress and ingress with setcap ############################################# -# Builder image for goreleaser +############################################# goreleaser-setcap — sets cap_net_bind_service on GoReleaser binary ############################################# FROM common AS goreleaser-setcap ARG TARGETARCH @@ -749,7 +1030,7 @@ USER 0 RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -############################################# Create image with nginx-ingress built by GoReleaser ############################################# +############################################# goreleaser — binary from GoReleaser dist/ ############################################# FROM common AS goreleaser ARG TARGETARCH @@ -758,8 +1039,7 @@ LABEL org.nginx.kic.image.build.version="goreleaser" COPY --link --chown=101:0 --from=goreleaser-setcap /nginx-ingress / -############################################# Builder style stage to avoid duplicate layers for ingress and ingress with setcap ############################################# -# Builder image for goreleaser-prebuilt +############################################# goreleaser-setcap-prebuilt — sets cap_net_bind_service on GoReleaser binary (prebuilt) ############################################# FROM ${PREBUILT_BASE_IMG} AS goreleaser-setcap-prebuilt ARG TARGETARCH @@ -768,7 +1048,7 @@ USER 0 RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -############################################# Create image with nginx-ingress built by GoReleaser & using prebuilt base image ############################################# +############################################# goreleaser-prebuilt — GoReleaser binary into pre-downloaded base image ############################################# FROM ${PREBUILT_BASE_IMG} AS goreleaser-prebuilt ARG TARGETARCH ARG BUILD_OS @@ -785,8 +1065,7 @@ RUN --mount=type=bind,target=/tmp [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp USER 101 -############################################# Builder style stage to avoid duplicate layers for ingress and ingress with setcap ############################################# -# Builder image for aws +############################################# aws-setcap — sets cap_net_bind_service on AWS binary ############################################# FROM common AS aws-setcap ARG TARGETARCH ARG NAP_MODULES_AWS @@ -796,7 +1075,7 @@ USER 0 RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -############################################# Create image with nginx-ingress built by GoReleaser for AWS Marketplace ############################################# +############################################# aws — GoReleaser binary for AWS Marketplace ############################################# FROM common AS aws ARG TARGETARCH ARG NAP_MODULES_AWS @@ -806,8 +1085,7 @@ LABEL org.nginx.kic.image.build.version="aws" COPY --link --chown=101:0 --from=aws-setcap /nginx-ingress / -############################################# Builder style stage to avoid duplicate layers for ingress and ingress with setcap ############################################# -# Builder image for aws-prebuilt +############################################# aws-setcap-prebuilt — sets cap_net_bind_service on AWS binary (prebuilt) ############################################# FROM ${PREBUILT_BASE_IMG} AS aws-setcap-prebuilt ARG TARGETARCH ARG NAP_MODULES_AWS @@ -817,7 +1095,7 @@ USER 0 RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -############################################# Create image with nginx-ingress built by GoReleaser for AWS Marketplace ############################################# +############################################# aws-prebuilt — AWS Marketplace binary into pre-downloaded base image ############################################# FROM ${PREBUILT_BASE_IMG} AS aws-prebuilt ARG TARGETARCH ARG NAP_MODULES_AWS @@ -834,7 +1112,7 @@ RUN --mount=type=bind,target=/tmp [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp USER 101 -############################################# Create image with nginx-ingress extracted from image on Docker Hub ############################################# +############################################# download — nginx-ingress binary from published image ############################################# FROM nginx/nginx-ingress:${DOWNLOAD_TAG} AS kic FROM common AS download diff --git a/build/scripts/agent.sh b/build/scripts/agent.sh index 7aa08d06e6..740b455ab3 100755 --- a/build/scripts/agent.sh +++ b/build/scripts/agent.sh @@ -9,9 +9,9 @@ if [ -f "/opt/app_protect/RELEASE" ]; then NAP_VERSION=$(cat /opt/app_protect/VERSION) echo "Adding NAP $NAP_VERSION directories" - mkdir -p /etc/ssl/nms /opt/nms-nap-compiler - chown -R 101:0 /etc/ssl/nms /opt/nms-nap-compiler - chmod -R g=u /etc/ssl/nms /opt/nms-nap-compiler + mkdir -p /etc/ssl/nms /etc/nms /opt/nms-nap-compiler + chown -R 101:0 /etc/ssl/nms /etc/nms /opt/nms-nap-compiler + chmod -R g=u /etc/ssl/nms /etc/nms /opt/nms-nap-compiler ln -s /opt/app_protect "/opt/nms-nap-compiler/app_protect-${NAP_VERSION}" fi diff --git a/charts/nginx-ingress/templates/_helpers.tpl b/charts/nginx-ingress/templates/_helpers.tpl index 7e9f7311be..b2f51635b6 100644 --- a/charts/nginx-ingress/templates/_helpers.tpl +++ b/charts/nginx-ingress/templates/_helpers.tpl @@ -424,14 +424,15 @@ List of volumes for controller. - name: agent-conf configMap: name: {{ include "nginx-ingress.agentConfigName" . }} +- name: agent-etc + emptyDir: {} {{- if ne .Values.nginxAgent.dataplaneKeySecretName "" }} - name: dataplane-key secret: secretName: {{ .Values.nginxAgent.dataplaneKeySecretName }} -{{- else }} +{{- end }} - name: agent-dynamic emptyDir: {} -{{- end }} {{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} - name: nginx-agent-tls projected: @@ -490,16 +491,18 @@ volumeMounts: {{ toYaml .Values.controller.volumeMounts }} {{- end }} {{- if .Values.nginxAgent.enable }} +- name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config - name: agent-conf mountPath: /etc/nginx-agent/nginx-agent.conf subPath: nginx-agent.conf {{- if ne .Values.nginxAgent.dataplaneKeySecretName "" }} - name: dataplane-key mountPath: /etc/nginx-agent/secrets -{{- else }} +{{- end }} - name: agent-dynamic mountPath: /var/lib/nginx-agent -{{- end }} {{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} - name: nginx-agent-tls mountPath: /etc/ssl/nms @@ -569,12 +572,18 @@ log: allowed_directories: - /etc/nginx - /usr/lib/nginx/modules +{{- if .Values.controller.appprotect.enable }} + - /etc/app_protect +{{- end }} features: - certificates - connection - metrics - file-watcher +{{- if .Values.controller.appprotect.enable }} + - logs-nap +{{- end }} ## command server settings command: diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index 834bbac329..984b0130c4 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -1789,6 +1789,8 @@ spec: - name: agent-conf configMap: name: app-protect-waf-agentv2-nginx-ingress-agent-config + - name: agent-etc + emptyDir: {} - name: agent-dynamic emptyDir: {} - name: nginx-agent-tls @@ -1843,6 +1845,9 @@ spec: - NET_BIND_SERVICE volumeMounts: + - name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config - name: agent-conf mountPath: /etc/nginx-agent/nginx-agent.conf subPath: nginx-agent.conf @@ -1936,18 +1941,18 @@ metadata: app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/appProtectWAFV5 - 1] +[TestHelmNICTemplate/appProtectWAFV4AgentV3 - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: app-protect-waf-agentv3-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-waf-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -1955,28 +1960,1151 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: app-protect-waf-agentv3-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-waf-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-wafv5-nginx-ingress-mgmt - namespace: appprotect-wafv5 + name: app-protect-waf-agentv3-nginx-ingress-agent-config + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +data: + nginx-agent.conf: |- + + log: + # set log level (error, info, debug; default "info") + level: info + # set log path. if empty, don't log to file. + path: "" + + allowed_directories: + - /etc/nginx + - /usr/lib/nginx/modules + - /etc/app_protect + + features: + - certificates + - connection + - metrics + - file-watcher + - logs-nap + + ## command server settings + command: + server: + host: agent.connect.nginx.com + port: 443 + auth: + tokenpath: "/etc/nginx-agent/secrets/dataplane.key" + tls: + skip_verify: false + + ## collector settings + collector: + log: + path: "stdout" +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-waf-agentv3-nginx-ingress-mgmt + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +data: + license-token-secret-name: license-token +/-/-/-/ +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-waf-agentv3-nginx-ingress-leader-election + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: app-protect-waf-agentv3-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +/-/-/-/ +# Source: nginx-ingress/templates/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: app-protect-waf-agentv3-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +subjects: +- kind: ServiceAccount + name: app-protect-waf-agentv3-nginx-ingress + namespace: default +roleRef: + kind: ClusterRole + name: app-protect-waf-agentv3-nginx-ingress + apiGroup: rbac.authorization.k8s.io +/-/-/-/ +# Source: nginx-ingress/templates/controller-role.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: app-protect-waf-agentv3-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm + namespace: default +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - app-protect-waf-agentv3-nginx-ingress-leader-election + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +/-/-/-/ +# Source: nginx-ingress/templates/controller-rolebinding.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: app-protect-waf-agentv3-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: app-protect-waf-agentv3-nginx-ingress +subjects: +- kind: ServiceAccount + name: app-protect-waf-agentv3-nginx-ingress + namespace: default +/-/-/-/ +# Source: nginx-ingress/templates/controller-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: app-protect-waf-agentv3-nginx-ingress-controller + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +spec: + externalTrafficPolicy: Local + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + nodePort: + - port: 443 + targetPort: 443 + protocol: TCP + name: https + nodePort: + selector: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 +/-/-/-/ +# Source: nginx-ingress/templates/controller-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-protect-waf-agentv3-nginx-ingress-controller + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + template: + metadata: + labels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + agent-configuration-revision-hash: "59aa7a70" + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + prometheus.io/scheme: "http" + spec: + volumes: + + - name: agent-conf + configMap: + name: app-protect-waf-agentv3-nginx-ingress-agent-config + - name: agent-etc + emptyDir: {} + - name: dataplane-key + secret: + secretName: dataplane-key + - name: agent-dynamic + emptyDir: {} + serviceAccountName: app-protect-waf-agentv3-nginx-ingress + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 30 + hostNetwork: false + dnsPolicy: ClusterFirst + containers: + - image: nginx/nginx-ingress:5.5.0 + name: nginx-ingress + imagePullPolicy: "IfNotPresent" + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: prometheus + containerPort: 9113 + - name: readiness-port + containerPort: 8081 + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: 0 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + volumeMounts: + + - name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config + - name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf + - name: dataplane-key + mountPath: /etc/nginx-agent/secrets + - name: agent-dynamic + mountPath: /var/lib/nginx-agent + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=true + - -enable-app-protect-ip-intelligence=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-waf-agentv3-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-waf-agentv3-nginx-ingress-mgmt + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -log-level=info + - -log-format=glog + - -enable-config-safety=false + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=app-protect-waf-agentv3-nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=app-protect-waf-agentv3-nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -allow-empty-ingress-host=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + - -ssl-dynamic-reload=true + - -enable-telemetry-reporting=true + - -weight-changes-dynamic-reload=false + - -agent=true +/-/-/-/ +# Source: nginx-ingress/templates/controller-ingress-class.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: nginx + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +spec: + controller: nginx.org/ingress-controller +/-/-/-/ +# Source: nginx-ingress/templates/controller-lease.yaml +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: app-protect-waf-agentv3-nginx-ingress-leader-election + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-waf-agentv3 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +--- + +[TestHelmNICTemplate/appProtectWAFV5 - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: appprotect-wafv5-nginx-ingress + namespace: appprotect-wafv5 + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: appprotect-wafv5-nginx-ingress + namespace: appprotect-wafv5 + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +data: + {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +apiVersion: v1 +kind: ConfigMap +metadata: + name: appprotect-wafv5-nginx-ingress-mgmt + namespace: appprotect-wafv5 + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +data: + license-token-secret-name: license-token +/-/-/-/ +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: appprotect-wafv5-nginx-ingress-leader-election + namespace: appprotect-wafv5 + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: appprotect-wafv5-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +/-/-/-/ +# Source: nginx-ingress/templates/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: appprotect-wafv5-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +subjects: +- kind: ServiceAccount + name: appprotect-wafv5-nginx-ingress + namespace: appprotect-wafv5 +roleRef: + kind: ClusterRole + name: appprotect-wafv5-nginx-ingress + apiGroup: rbac.authorization.k8s.io +/-/-/-/ +# Source: nginx-ingress/templates/controller-role.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: appprotect-wafv5-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm + namespace: appprotect-wafv5 +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - appprotect-wafv5-nginx-ingress-leader-election + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +/-/-/-/ +# Source: nginx-ingress/templates/controller-rolebinding.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: appprotect-wafv5-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm + namespace: appprotect-wafv5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appprotect-wafv5-nginx-ingress +subjects: +- kind: ServiceAccount + name: appprotect-wafv5-nginx-ingress + namespace: appprotect-wafv5 +/-/-/-/ +# Source: nginx-ingress/templates/controller-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: appprotect-wafv5-nginx-ingress-controller + namespace: appprotect-wafv5 + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +spec: + externalTrafficPolicy: Local + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + nodePort: + - port: 443 + targetPort: 443 + protocol: TCP + name: https + nodePort: + selector: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 +/-/-/-/ +# Source: nginx-ingress/templates/controller-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: appprotect-wafv5-nginx-ingress-controller + namespace: appprotect-wafv5 + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + template: + metadata: + labels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + prometheus.io/scheme: "http" + spec: + volumes: + + - emptyDir: {} + name: app-protect-bd-config + - emptyDir: {} + name: app-protect-config + - emptyDir: {} + name: app-protect-bundles + - name: app-protect-ipi-db + emptyDir: {} + serviceAccountName: appprotect-wafv5-nginx-ingress + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 30 + hostNetwork: false + dnsPolicy: ClusterFirst + containers: + - image: nginx/nginx-ingress:5.5.0 + name: nginx-ingress + imagePullPolicy: "IfNotPresent" + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: prometheus + containerPort: 9113 + - name: readiness-port + containerPort: 8081 + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: 0 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + volumeMounts: + + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + # app-protect-bundles is mounted so that Ingress Controller + # can verify that referenced bundles are present + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + + - -nginx-plus=true + - -nginx-reload-timeout=60000 + - -enable-app-protect=true + - -enable-app-protect-ip-intelligence=true + - -app-protect-enforcer-address="localhost:50001" + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/appprotect-wafv5-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/appprotect-wafv5-nginx-ingress-mgmt + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -log-level=info + - -log-format=glog + - -enable-config-safety=false + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=appprotect-wafv5-nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=appprotect-wafv5-nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -allow-empty-ingress-host=false + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + - -ssl-dynamic-reload=true + - -enable-telemetry-reporting=true + - -weight-changes-dynamic-reload=false + + - name: waf-enforcer + image: my.private.reg/nap/waf-enforcer:5.12.1 + imagePullPolicy: "IfNotPresent" + env: + - name: ENFORCER_PORT + value: "50001" + - name: ENFORCER_CONFIG_TIMEOUT + value: "0" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-ipi-db + mountPath: /var/IpRep + - name: waf-config-mgr + image: my.private.reg/nap/waf-config-mgr:5.12.1 + imagePullPolicy: "IfNotPresent" + securityContext: + + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + runAsUser: 101 + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles + - name: waf-ip-intelligence + image: my.private.reg/nap/waf-ip-intelligence:5.12.1 + imagePullPolicy: "IfNotPresent" + securityContext: + + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + runAsUser: 101 + volumeMounts: + - name: app-protect-ipi-db + mountPath: /var/IpRep +/-/-/-/ +# Source: nginx-ingress/templates/controller-ingress-class.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: nginx + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +spec: + controller: nginx.org/ingress-controller +/-/-/-/ +# Source: nginx-ingress/templates/controller-lease.yaml +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: appprotect-wafv5-nginx-ingress-leader-election + namespace: appprotect-wafv5 + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +--- + +[TestHelmNICTemplate/appProtectWAFV5AgentV2 - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +data: + {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-wafv5-agentv2-nginx-ingress-agent-config + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.6.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/version: "5.5.0" + app.kubernetes.io/managed-by: Helm +data: + nginx-agent.conf: |- + + log: + level: info + path: "" + server: + host: nim.example.com + grpcPort: 443 + metrics: nim.example.com + command: nim.example.com + tls: + enable: true + skip_verify: false + ca: "/etc/ssl/nms/ca.crt" + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + features: + - registration + - nginx-counting + - metrics + - dataplane-status + extensions: + - nginx-app-protect + - nap-monitoring + nginx_app_protect: + report_interval: 15s + precompiled_publication: true + nap_monitoring: + collector_buffer_size: 50000 + processor_buffer_size: 50000 + syslog_ip: 127.0.0.1 + syslog_port: 1514 +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-protect-wafv5-agentv2-nginx-ingress-mgmt + namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm data: @@ -1986,12 +3114,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: appprotect-wafv5-nginx-ingress-leader-election - namespace: appprotect-wafv5 + name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -1999,11 +3127,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm rules: @@ -2124,34 +3252,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: appprotect-wafv5-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-wafv5 + namespace: default rules: - apiGroups: - "" @@ -2189,7 +3317,7 @@ rules: resources: - leases resourceNames: - - appprotect-wafv5-nginx-ingress-leader-election + - app-protect-wafv5-agentv2-nginx-ingress-leader-election verbs: - get - update @@ -2204,33 +3332,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: appprotect-wafv5-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm - namespace: appprotect-wafv5 + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: appprotect-wafv5-nginx-ingress + name: app-protect-wafv5-agentv2-nginx-ingress subjects: - kind: ServiceAccount - name: appprotect-wafv5-nginx-ingress - namespace: appprotect-wafv5 + name: app-protect-wafv5-agentv2-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: appprotect-wafv5-nginx-ingress-controller - namespace: appprotect-wafv5 + name: app-protect-wafv5-agentv2-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm spec: @@ -2249,18 +3377,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: appprotect-wafv5-nginx-ingress-controller - namespace: appprotect-wafv5 + name: app-protect-wafv5-agentv2-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm spec: @@ -2268,12 +3396,13 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 + agent-configuration-revision-hash: "7f0862bf" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" @@ -2287,9 +3416,21 @@ spec: name: app-protect-config - emptyDir: {} name: app-protect-bundles - - name: app-protect-ipi-db + - name: agent-conf + configMap: + name: app-protect-wafv5-agentv2-nginx-ingress-agent-config + - name: agent-etc emptyDir: {} - serviceAccountName: appprotect-wafv5-nginx-ingress + - name: agent-dynamic + emptyDir: {} + - name: nginx-agent-tls + projected: + sources: + - secret: + name: tls-secret + - secret: + name: ca-secret + serviceAccountName: app-protect-wafv5-agentv2-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -2342,6 +3483,17 @@ spec: # can verify that referenced bundles are present - name: app-protect-bundles mountPath: /etc/app_protect/bundles + - name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config + - name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf + - name: agent-dynamic + mountPath: /var/lib/nginx-agent + - name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true env: - name: POD_NAMESPACE valueFrom: @@ -2356,11 +3508,11 @@ spec: - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=true - - -enable-app-protect-ip-intelligence=true + - -enable-app-protect-ip-intelligence=false - -app-protect-enforcer-address="localhost:50001" - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/appprotect-wafv5-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/appprotect-wafv5-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -2372,9 +3524,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=appprotect-wafv5-nginx-ingress-controller + - -external-service=app-protect-wafv5-agentv2-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=appprotect-wafv5-nginx-ingress-leader-election + - -leader-election-lock-name=app-protect-wafv5-agentv2-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -2397,6 +3549,8 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false + - -agent=true + - -agent-instance-group=app-protect-wafv5-agentv2-nginx-ingress-controller - name: waf-enforcer image: my.private.reg/nap/waf-enforcer:5.12.1 @@ -2409,8 +3563,6 @@ spec: volumeMounts: - name: app-protect-bd-config mountPath: /opt/app_protect/bd_config - - name: app-protect-ipi-db - mountPath: /var/IpRep - name: waf-config-mgr image: my.private.reg/nap/waf-config-mgr:5.12.1 imagePullPolicy: "IfNotPresent" @@ -2429,20 +3581,6 @@ spec: mountPath: /opt/app_protect/config - name: app-protect-bundles mountPath: /etc/app_protect/bundles - - name: waf-ip-intelligence - image: my.private.reg/nap/waf-ip-intelligence:5.12.1 - imagePullPolicy: "IfNotPresent" - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - runAsUser: 101 - volumeMounts: - - name: app-protect-ipi-db - mountPath: /var/IpRep /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -2452,7 +3590,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm spec: @@ -2462,28 +3600,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: appprotect-wafv5-nginx-ingress-leader-election - namespace: appprotect-wafv5 + name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: appprotect-wafv5 + app.kubernetes.io/instance: app-protect-wafv5-agentv2 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/appProtectWAFV5AgentV2 - 1] +[TestHelmNICTemplate/appProtectWAFV5AgentV3 - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -2491,12 +3629,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm data: @@ -2506,58 +3644,60 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-agent-config + name: app-protect-wafv5-agentv3-nginx-ingress-agent-config namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm data: nginx-agent.conf: |- log: + # set log level (error, info, debug; default "info") level: info + # set log path. if empty, don't log to file. path: "" - server: - host: nim.example.com - grpcPort: 443 - metrics: nim.example.com - command: nim.example.com - tls: - enable: true - skip_verify: false - ca: "/etc/ssl/nms/ca.crt" - cert: "/etc/ssl/nms/tls.crt" - key: "/etc/ssl/nms/tls.key" + + allowed_directories: + - /etc/nginx + - /usr/lib/nginx/modules + - /etc/app_protect + features: - - registration - - nginx-counting + - certificates + - connection - metrics - - dataplane-status - extensions: - - nginx-app-protect - - nap-monitoring - nginx_app_protect: - report_interval: 15s - precompiled_publication: true - nap_monitoring: - collector_buffer_size: 50000 - processor_buffer_size: 50000 - syslog_ip: 127.0.0.1 - syslog_port: 1514 + - file-watcher + - logs-nap + + ## command server settings + command: + server: + host: agent.connect.nginx.com + port: 443 + auth: + tokenpath: "/etc/nginx-agent/secrets/dataplane.key" + tls: + skip_verify: false + + ## collector settings + collector: + log: + path: "stdout" /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-mgmt + name: app-protect-wafv5-agentv3-nginx-ingress-mgmt namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm data: @@ -2567,12 +3707,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + name: app-protect-wafv5-agentv3-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -2580,11 +3720,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm rules: @@ -2705,31 +3845,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -2770,7 +3910,7 @@ rules: resources: - leases resourceNames: - - app-protect-wafv5-agentv2-nginx-ingress-leader-election + - app-protect-wafv5-agentv3-nginx-ingress-leader-election verbs: - get - update @@ -2785,33 +3925,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress subjects: - kind: ServiceAccount - name: app-protect-wafv5-agentv2-nginx-ingress + name: app-protect-wafv5-agentv3-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-controller + name: app-protect-wafv5-agentv3-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm spec: @@ -2830,18 +3970,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-controller + name: app-protect-wafv5-agentv3-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm spec: @@ -2849,13 +3989,13 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 - agent-configuration-revision-hash: "7f0862bf" + app.kubernetes.io/instance: app-protect-wafv5-agentv3 + agent-configuration-revision-hash: "59aa7a70" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" @@ -2871,17 +4011,15 @@ spec: name: app-protect-bundles - name: agent-conf configMap: - name: app-protect-wafv5-agentv2-nginx-ingress-agent-config + name: app-protect-wafv5-agentv3-nginx-ingress-agent-config + - name: agent-etc + emptyDir: {} + - name: dataplane-key + secret: + secretName: dataplane-key - name: agent-dynamic emptyDir: {} - - name: nginx-agent-tls - projected: - sources: - - secret: - name: tls-secret - - secret: - name: ca-secret - serviceAccountName: app-protect-wafv5-agentv2-nginx-ingress + serviceAccountName: app-protect-wafv5-agentv3-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -2934,14 +4072,16 @@ spec: # can verify that referenced bundles are present - name: app-protect-bundles mountPath: /etc/app_protect/bundles + - name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config - name: agent-conf mountPath: /etc/nginx-agent/nginx-agent.conf subPath: nginx-agent.conf + - name: dataplane-key + mountPath: /etc/nginx-agent/secrets - name: agent-dynamic mountPath: /var/lib/nginx-agent - - name: nginx-agent-tls - mountPath: /etc/ssl/nms - readOnly: true env: - name: POD_NAMESPACE valueFrom: @@ -2959,8 +4099,8 @@ spec: - -enable-app-protect-ip-intelligence=false - -app-protect-enforcer-address="localhost:50001" - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-wafv5-agentv2-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/app-protect-wafv5-agentv3-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/app-protect-wafv5-agentv3-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -2972,9 +4112,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=app-protect-wafv5-agentv2-nginx-ingress-controller + - -external-service=app-protect-wafv5-agentv3-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=app-protect-wafv5-agentv2-nginx-ingress-leader-election + - -leader-election-lock-name=app-protect-wafv5-agentv3-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -2998,7 +4138,6 @@ spec: - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - -agent=true - - -agent-instance-group=app-protect-wafv5-agentv2-nginx-ingress-controller - name: waf-enforcer image: my.private.reg/nap/waf-enforcer:5.12.1 @@ -3038,7 +4177,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm spec: @@ -3048,12 +4187,12 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: app-protect-wafv5-agentv2-nginx-ingress-leader-election + name: app-protect-wafv5-agentv3-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.6.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: app-protect-wafv5-agentv2 + app.kubernetes.io/instance: app-protect-wafv5-agentv3 app.kubernetes.io/version: "5.5.0" app.kubernetes.io/managed-by: Helm --- @@ -9355,9 +10494,13 @@ spec: - name: agent-conf configMap: name: oss-agent-nginx-ingress-agent-config + - name: agent-etc + emptyDir: {} - name: dataplane-key secret: secretName: dataplane-key + - name: agent-dynamic + emptyDir: {} serviceAccountName: oss-agent-nginx-ingress automountServiceAccountToken: true securityContext: @@ -9403,11 +10546,16 @@ spec: - NET_BIND_SERVICE volumeMounts: + - name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config - name: agent-conf mountPath: /etc/nginx-agent/nginx-agent.conf subPath: nginx-agent.conf - name: dataplane-key mountPath: /etc/nginx-agent/secrets + - name: agent-dynamic + mountPath: /var/lib/nginx-agent env: - name: POD_NAMESPACE valueFrom: @@ -12684,9 +13832,13 @@ spec: - name: agent-conf configMap: name: plus-agent-nginx-ingress-agent-config + - name: agent-etc + emptyDir: {} - name: dataplane-key secret: secretName: dataplane-key + - name: agent-dynamic + emptyDir: {} serviceAccountName: plus-agent-nginx-ingress automountServiceAccountToken: true securityContext: @@ -12732,11 +13884,16 @@ spec: - NET_BIND_SERVICE volumeMounts: + - name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config - name: agent-conf mountPath: /etc/nginx-agent/nginx-agent.conf subPath: nginx-agent.conf - name: dataplane-key mountPath: /etc/nginx-agent/secrets + - name: agent-dynamic + mountPath: /var/lib/nginx-agent env: - name: POD_NAMESPACE valueFrom: @@ -13205,9 +14362,13 @@ spec: - name: agent-conf configMap: name: plus-agent-all-nginx-ingress-agent-config + - name: agent-etc + emptyDir: {} - name: dataplane-key secret: secretName: dataplane-key + - name: agent-dynamic + emptyDir: {} serviceAccountName: plus-agent-all-nginx-ingress automountServiceAccountToken: true securityContext: @@ -13253,11 +14414,16 @@ spec: - NET_BIND_SERVICE volumeMounts: + - name: agent-etc + mountPath: /etc/nginx-agent + # needed for agent otel collector config - name: agent-conf mountPath: /etc/nginx-agent/nginx-agent.conf subPath: nginx-agent.conf - name: dataplane-key mountPath: /etc/nginx-agent/secrets + - name: agent-dynamic + mountPath: /var/lib/nginx-agent env: - name: POD_NAMESPACE valueFrom: diff --git a/charts/tests/helmunit_test.go b/charts/tests/helmunit_test.go index c29dacd70e..22312728cc 100644 --- a/charts/tests/helmunit_test.go +++ b/charts/tests/helmunit_test.go @@ -166,11 +166,21 @@ func TestHelmNICTemplate(t *testing.T) { releaseName: "app-protect-wafv5-agentv2", namespace: "default", }, + "appProtectWAFV5AgentV3": { + valuesFile: "testdata/app-protect-wafv5-agentv3.yaml", + releaseName: "app-protect-wafv5-agentv3", + namespace: "default", + }, "appProtectWAFV4AgentV2": { valuesFile: "testdata/app-protect-waf-agentv2.yaml", releaseName: "app-protect-waf-agentv2", namespace: "default", }, + "appProtectWAFV4AgentV3": { + valuesFile: "testdata/app-protect-waf-agentv3.yaml", + releaseName: "app-protect-waf-agentv3", + namespace: "default", + }, "startupStatusValid": { valuesFile: "testdata/startupstatus-valid.yaml", releaseName: "startupstatus", diff --git a/charts/tests/testdata/app-protect-waf-agentv3.yaml b/charts/tests/testdata/app-protect-waf-agentv3.yaml new file mode 100644 index 0000000000..70fcbd8b10 --- /dev/null +++ b/charts/tests/testdata/app-protect-waf-agentv3.yaml @@ -0,0 +1,9 @@ +controller: + nginxplus: true + appprotect: + enable: true +nginxAgent: + enable: true + dataplaneKeySecretName: "dataplane-key" + endpointHost: "agent.connect.nginx.com" + endpointPort: 443 diff --git a/charts/tests/testdata/app-protect-wafv5-agentv3.yaml b/charts/tests/testdata/app-protect-wafv5-agentv3.yaml new file mode 100644 index 0000000000..ada2c7568c --- /dev/null +++ b/charts/tests/testdata/app-protect-wafv5-agentv3.yaml @@ -0,0 +1,25 @@ +controller: + nginxplus: true + appprotect: + enable: true + v5: true + volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: app-protect-bundles + emptyDir: {} + enforcer: + host: "localhost" + port: 50001 + image: + repository: my.private.reg/nap/waf-enforcer + configManager: + image: + repository: my.private.reg/nap/waf-config-mgr +nginxAgent: + enable: true + dataplaneKeySecretName: "dataplane-key" + endpointHost: "agent.connect.nginx.com" + endpointPort: 443 diff --git a/examples/custom-resources/security-monitoring-v5/README.md b/examples/custom-resources/security-monitoring-v5/README.md new file mode 100644 index 0000000000..0b2c48ff52 --- /dev/null +++ b/examples/custom-resources/security-monitoring-v5/README.md @@ -0,0 +1,130 @@ +# WAF Security Monitoring with F5 WAF for NGINX v5 + +This example describes how to deploy NGINX Plus Ingress Controller with [F5 WAF for NGINX v5](https://docs.nginx.com/waf/) and [NGINX Agent](https://docs.nginx.com/nginx-agent/overview/) to integrate with NGINX Security Monitoring. It deploys a simple web application and configures WAF protection using compiled policy and log bundles, forwarding security logs to the Security Monitoring dashboard via syslog. + +This example works with both: + +- **NGINX Instance Manager** (Agent 2.*) - See the [Security Monitoring tutorial](https://docs.nginx.com/nginx-ingress-controller/tutorials/security-monitoring/) for agent configuration. +- **NGINX One Console** (Agent 3.*) - See the [Connect NGINX Ingress Controller to NGINX One Console](https://docs.nginx.com/nginx-one-console/k8s/add-nic/) guide for agent configuration. + +> **Note**: Starting with NGINX Ingress Controller 5.5.0, images with the `-agent` suffix include NGINX Agent (3.*) and are pre-configured for NGINX One Console. Images without the `-agent` suffix include NGINX Agent (2.*) for NGINX Instance Manager. See the [Technical Specifications](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/) for available image variants. + +## Prerequisites + +1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy NGINX + Ingress Controller with F5 WAF for NGINX v5 and NGINX Agent. Configure NGINX Agent to connect to either a deployment of NGINX Instance Manager with Security Monitoring, or to NGINX One Console, and verify your NGINX Ingress Controller deployment is online. + +1. Confirm which version of NGINX Agent is running in your Ingress Controller pod: + + ```console + kubectl exec -it -c nginx-ingress -- nginx-agent -v + ``` + + The output will show either `2.x.x` or `3.x.x`. Use this to choose the correct WAF policy in Step 4 below. + + - **Agent 2.***: connects to NGINX Instance Manager + - **Agent 3.***: connects to NGINX One Console + +1. Save the public IP address of the Ingress Controller into a shell variable: + + ```console + IC_IP=XXX.YYY.ZZZ.III + ``` + +1. Save the HTTP port of NGINX Ingress Controller into a shell variable: + + ```console + IC_HTTP_PORT= + ``` + +## Step 1. Deploy a Web Application + +Create the application deployment and service: + +```console +kubectl apply -f webapp.yaml +``` + +## Step 2 - Create and Deploy the WAF Policy and Log Bundles + +1. Compile your WAF policy and log configuration into bundles (`.tgz` files) using the `waf-compiler` image. See [Compile WAF Policy from JSON to Bundle](https://docs.nginx.com/nginx-ingress-controller/install/waf-helm/#compile-waf-policy-from-json-to-bundle) for compilation steps. + + When using NGINX One Console, you can create and manage WAF policies under **WAF > Policies**, and download the `secops_dashboard` log profile from **WAF > Log Profiles**. See the [Security Monitoring tutorial](https://docs.nginx.com/nginx-ingress-controller/tutorials/security-monitoring/) for full setup instructions. + +1. Copy both bundles to the volume mounted at `/etc/app_protect/bundles` in the Ingress Controller pod: + + ```console + kubectl cp ./compiled_policy.tgz :/etc/app_protect/bundles/compiled_policy.tgz -c nginx-ingress + kubectl cp ./compiled_log.tgz :/etc/app_protect/bundles/compiled_log.tgz -c nginx-ingress + ``` + +## Step 3 - Deploy the Syslog Service (Agent 2.* only) + +If you are using Agent 2.* (NGINX Instance Manager), create the syslog service and pod that receives App Protect security logs: + +```console +kubectl apply -f syslog.yaml +``` + +If you are using Agent (3.*) (NGINX One Console), skip this step. NGINX Agent 3.* listens for security logs locally on `127.0.0.1:1514` using its embedded OpenTelemetry collector. + +## Step 4 - Deploy the WAF Policy + +Create the WAF policy referencing the compiled bundles. Choose the file that matches your agent version: + +**Agent 2.* (NGINX Instance Manager)** — logs sent to the syslog service: + +```console +kubectl apply -f waf.yaml +``` + +**Agent 3.* (NGINX One Console)** — logs sent directly to the local NGINX Agent listener: + +```console +kubectl apply -f waf-agent-v3.yaml +``` + +Note the log bundle referenced in the `apLogBundle` field must be compiled from a log profile that matches the format required by NGINX Security Monitoring. + +## Step 5 - Configure Load Balancing + +Create the VirtualServer resource: + +```console +kubectl apply -f virtual-server.yaml +``` + +## Step 6 - Test the Application + +1. Send a valid request to the application: + + ```console + curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/ + ``` + + ```text + Server address: 10.12.0.18:80 + Server name: webapp-7586895968-r26zn + ... + ``` + +1. Send a request with a suspicious URL: + + ```console + curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/