Cherry pick image bump and re-add AJP as dynamic module (#10509)

* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)

* update nginx base, httpbun, e2e, helm webhook cert gen

Signed-off-by: James Strong <strong.james.e@gmail.com>

* fix helm docs

Signed-off-by: James Strong <strong.james.e@gmail.com>

---------

Signed-off-by: James Strong <strong.james.e@gmail.com>

* Add AJP as dynamic for v1.8

* try again on dynamic module

* Fix ajp on chroot

---------

Signed-off-by: James Strong <strong.james.e@gmail.com>
Co-authored-by: James Strong <strong.james.e@gmail.com>

NGINX_BASE

@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/nginx:v20230623-427f3d2fb@sha256:7b479f66872c0b1cb0f1315e305b8a3e9c6da846c7dd3855db99bc8cfd6791e1
+registry.k8s.io/ingress-nginx/nginx:v20231011-8b53cabe0@sha256:34881d62f71e8573fb765c40585dba28a1148206fbbe2c3871ad3f4e8c6e360f

build/run-in-docker.sh

@@ -44,7 +44,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230907-5bb82dcb7@sha256:421cda0f65a949b8b67b5e62a45071702d19ed458a3e2ba753171b0e66943210}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20231011-8b53cabe0@sha256:ed0dad805c635e66469b4ac376010eebdd0b3fe62d753f58db1632d6f12f451d}
 
 if [[ "$RUNTIME" == podman ]]; then
   # Podman does not support both tag and digest

charts/ingress-nginx/README.md

@@ -252,11 +252,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |

charts/ingress-nginx/values.yaml

@@ -615,8 +615,8 @@ controller:
         ## for backwards compatibility consider setting the full image url via the repository value below
         ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         ## repository:
-        tag: v20230407
-        digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
+        tag: v20231011-8b53cabe0
+        digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##

rootfs/Dockerfile

@@ -14,6 +14,9 @@
 
 ARG BASE_IMAGE
 
+# Source at https://github.com/rikatz/nginx-build-ajp
+FROM docker.io/rpkatz/nginx-ajp-module:latest@sha256:31df5e44018dabfc9477fb69acb2f08af3ae4fd4a9fe80d3415ccc05fcb197d2  as ajp
+
 FROM ${BASE_IMAGE}
 
 ARG TARGETARCH
@@ -76,6 +79,8 @@ RUN apk add --no-cache libcap \
   && apk del libcap \
   && ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx
 
+COPY --from=ajp /ngx_http_ajp_module.so /etc/nginx/modules
+
 USER www-data
 
 # Create symlinks to redirect nginx logs to stdout and stderr docker log collector

rootfs/Dockerfile-chroot

@@ -14,6 +14,9 @@
 
 ARG BASE_IMAGE
 
+# Source at https://github.com/rikatz/nginx-build-ajp
+FROM docker.io/rpkatz/nginx-ajp-module:latest@sha256:31df5e44018dabfc9477fb69acb2f08af3ae4fd4a9fe80d3415ccc05fcb197d2 as ajp
+
 FROM ${BASE_IMAGE} as chroot
 
 # This intermediary image will be used only to copy all the required files to the chroot
@@ -97,6 +100,8 @@ RUN apk add --no-cache libcap \
   && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/dumb-init \
   && apk del libcap
 
+COPY --from=ajp /ngx_http_ajp_module.so /chroot/etc/nginx/modules
+
 RUN  ln -sf /chroot/etc/nginx /etc/nginx \
   && ln -sf /chroot/tmp/nginx /tmp/nginx \
   && ln -sf /chroot/etc/ingress-controller /etc/ingress-controller \

rootfs/etc/nginx/template/nginx.tmpl

@@ -12,6 +12,8 @@
 # setup custom paths that do not require root access
 pid {{ .PID }};
 
+load_module /etc/nginx/modules/ngx_http_ajp_module.so;
+
 {{ if $cfg.UseGeoIP2 }}
 load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
 {{ end }}

test/e2e-image/Makefile

@@ -1,6 +1,6 @@
 
 DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
-E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230907-5bb82dcb7@sha256:421cda0f65a949b8b67b5e62a45071702d19ed458a3e2ba753171b0e66943210"
+E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20231011-8b53cabe0@sha256:ed0dad805c635e66469b4ac376010eebdd0b3fe62d753f58db1632d6f12f451d"
 
 image:
 	echo "..entered Makefile in /test/e2e-image"

test/e2e/HTTPBUN_IMAGE

@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20230505-v0.0.1
+registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20231011-8b53cabe0