Update opentracing nginx module (#2675)

* Update opentracing nginx module

* Update nginx file permissions

* Allow binding to a port less than 1024 to non-root users

images/nginx/Makefile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # 0.0.0 shouldn't clobber any released builds
-TAG ?= 0.52
+TAG ?= 0.53
 REGISTRY ?= quay.io/kubernetes-ingress-controller
 ARCH ?= $(shell go env GOARCH)
 DOCKER ?= docker

images/nginx/build.sh

@@ -26,7 +26,7 @@ export STICKY_SESSIONS_VERSION=08a395c66e42
 export MORE_HEADERS_VERSION=0.33
 export NGINX_DIGEST_AUTH=274490cec649e7300fea97fed13d84e596bbc0ce
 export NGINX_SUBSTITUTIONS=bc58cb11844bc42735bbaef7085ea86ace46d05b
-export NGINX_OPENTRACING_VERSION=0.3.0
+export NGINX_OPENTRACING_VERSION=0.5.0
 export OPENTRACING_CPP_VERSION=1.4.0
 export ZIPKIN_CPP_VERSION=0.3.1
 export JAEGER_VERSION=0.4.1
@@ -89,6 +89,7 @@ clean-install \
   python \
   luarocks \
   libmaxminddb-dev \
+  libcap2-bin \
   || exit 1
 
 if [[ ${ARCH} == "x86_64" ]]; then
@@ -159,7 +160,7 @@ get_src ede0ad490cb9dd69da348bdea2a60a4c45284c9777b2f13fa48394b6b8e7671c \
 get_src 618551948ab14cac51d6e4ad00452312c7b09938f59ebff4f93875013be31f2d \
         "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz"
 
-get_src 2d2b8784a09c7bb4ae7f8a76ab679c54a683b8dda26db2f948982de0ad44c7a5 \
+get_src ad6c813cb8baa4a178417bfa316ab3535d950fe02c67dc3a4af96ef6a1f655d6 \
         "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz"
 
 get_src 2eb0a4a7dc62bc8cbf12872080197b41d53b4c04966c860774a6b11fd59fad55 \
@@ -418,8 +419,6 @@ WITH_MODULES="--add-module=$BUILD_PATH/ngx_devel_kit-$NDK_VERSION \
   --add-module=$BUILD_PATH/nginx_cookie_flag_module-$COOKIE_FLAG_VERSION \
   --add-module=$BUILD_PATH/nginx-influxdb-module-$NGINX_INFLUXDB_VERSION \
   --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \
-  --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/jaeger \
-  --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/zipkin \
   --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \
   --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \
   --add-module=$BUILD_PATH/ngx_brotli"
@@ -453,6 +452,11 @@ echo "Cleaning..."
 
 cd /
 
+mv /usr/share/nginx/sbin/nginx /usr/sbin
+
+# allow binding to a port less than 1024 to non-root users
+setcap cap_net_bind_service=+ep /usr/sbin/nginx
+
 apt-mark unmarkauto \
   bash \
   curl ca-certificates \
@@ -478,14 +482,11 @@ apt-get remove -y --purge \
   linux-libc-dev \
   cmake \
   wget \
+  libcap2-bin \
   git g++ pkgconf flex bison doxygen libyajl-dev liblmdb-dev libgeoip-dev libtool dh-autoreconf libpcre++-dev libxml2-dev
 
 apt-get autoremove -y
 
-mkdir -p /var/lib/nginx/body /usr/share/nginx/html
-
-mv /usr/share/nginx/sbin/nginx /usr/sbin
-
 rm -rf "$BUILD_PATH"
 rm -Rf /usr/share/man /usr/share/doc
 rm -rf /tmp/* /var/tmp/*
@@ -499,3 +500,22 @@ rm -rf /etc/nginx/owasp-modsecurity-crs/.git
 rm -rf /etc/nginx/owasp-modsecurity-crs/util/regression-tests
 
 rm -rf $HOME/.hunter
+
+# update image permissions
+writeDirs=( \
+  /etc/nginx \
+  /etc/ingress-controller/ssl \
+  /etc/ingress-controller/auth \
+  /var/log \
+  /var/log/nginx \
+  /var/lib/nginx/body \
+  /usr/share/nginx/html \
+  /opt/modsecurity/var/log \
+  /opt/modsecurity/var/upload \
+  /opt/modsecurity/var/audit \
+);
+
+for dir in "${writeDirs[@]}"; do
+  mkdir -p ${dir};
+  chown -R www-data.www-data ${dir};
+done