From 285e157217f0d7d4e09893df89bad0794b705fe6 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Wed, 11 Oct 2023 22:46:46 -0300
Subject: [PATCH] Cherry pick image bump and re-add AJP as dynamic module
 (#10509)

* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)

* update nginx base, httpbun, e2e, helm webhook cert gen

Signed-off-by: James Strong <strong.james.e@gmail.com>

* fix helm docs

Signed-off-by: James Strong <strong.james.e@gmail.com>

---------

Signed-off-by: James Strong <strong.james.e@gmail.com>

* Add AJP as dynamic for v1.8

* try again on dynamic module

* Fix ajp on chroot

---------

Signed-off-by: James Strong <strong.james.e@gmail.com>
Co-authored-by: James Strong <strong.james.e@gmail.com>
---
 NGINX_BASE                           | 2 +-
 build/run-in-docker.sh               | 2 +-
 charts/ingress-nginx/README.md       | 4 ++--
 charts/ingress-nginx/values.yaml     | 4 ++--
 rootfs/Dockerfile                    | 5 +++++
 rootfs/Dockerfile-chroot             | 5 +++++
 rootfs/etc/nginx/template/nginx.tmpl | 2 ++
 test/e2e-image/Makefile              | 2 +-
 test/e2e/HTTPBUN_IMAGE               | 2 +-
 9 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/NGINX_BASE b/NGINX_BASE
index 14a7ee54b..d6cecf76b 100644
--- a/NGINX_BASE
+++ b/NGINX_BASE
@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/nginx:v20230623-427f3d2fb@sha256:7b479f66872c0b1cb0f1315e305b8a3e9c6da846c7dd3855db99bc8cfd6791e1
+registry.k8s.io/ingress-nginx/nginx:v20231011-8b53cabe0@sha256:34881d62f71e8573fb765c40585dba28a1148206fbbe2c3871ad3f4e8c6e360f
diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index 7e7974f0f..42ea0da55 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -44,7 +44,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230907-5bb82dcb7@sha256:421cda0f65a949b8b67b5e62a45071702d19ed458a3e2ba753171b0e66943210}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20231011-8b53cabe0@sha256:ed0dad805c635e66469b4ac376010eebdd0b3fe62d753f58db1632d6f12f451d}
 
 if [[ "$RUNTIME" == podman ]]; then
   # Podman does not support both tag and digest
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index d25931175..2ace7fc85 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -252,11 +252,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 55b00e1fc..3d3f072eb 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -615,8 +615,8 @@ controller:
         ## for backwards compatibility consider setting the full image url via the repository value below
         ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         ## repository:
-        tag: v20230407
-        digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
+        tag: v20231011-8b53cabe0
+        digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##
diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
index 75cf3fc65..d41b63609 100644
--- a/rootfs/Dockerfile
+++ b/rootfs/Dockerfile
@@ -14,6 +14,9 @@
 
 ARG BASE_IMAGE
 
+# Source at https://github.com/rikatz/nginx-build-ajp
+FROM docker.io/rpkatz/nginx-ajp-module:latest@sha256:31df5e44018dabfc9477fb69acb2f08af3ae4fd4a9fe80d3415ccc05fcb197d2  as ajp
+
 FROM ${BASE_IMAGE}
 
 ARG TARGETARCH
@@ -76,6 +79,8 @@ RUN apk add --no-cache libcap \
   && apk del libcap \
   && ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx
 
+COPY --from=ajp /ngx_http_ajp_module.so /etc/nginx/modules
+
 USER www-data
 
 # Create symlinks to redirect nginx logs to stdout and stderr docker log collector
diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot
index 48facd44f..510c17a74 100644
--- a/rootfs/Dockerfile-chroot
+++ b/rootfs/Dockerfile-chroot
@@ -14,6 +14,9 @@
 
 ARG BASE_IMAGE
 
+# Source at https://github.com/rikatz/nginx-build-ajp
+FROM docker.io/rpkatz/nginx-ajp-module:latest@sha256:31df5e44018dabfc9477fb69acb2f08af3ae4fd4a9fe80d3415ccc05fcb197d2 as ajp
+
 FROM ${BASE_IMAGE} as chroot
 
 # This intermediary image will be used only to copy all the required files to the chroot
@@ -97,6 +100,8 @@ RUN apk add --no-cache libcap \
   && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/dumb-init \
   && apk del libcap
 
+COPY --from=ajp /ngx_http_ajp_module.so /chroot/etc/nginx/modules
+
 RUN  ln -sf /chroot/etc/nginx /etc/nginx \
   && ln -sf /chroot/tmp/nginx /tmp/nginx \
   && ln -sf /chroot/etc/ingress-controller /etc/ingress-controller \
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 69e6195a2..b9ed4b98c 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -12,6 +12,8 @@
 # setup custom paths that do not require root access
 pid {{ .PID }};
 
+load_module /etc/nginx/modules/ngx_http_ajp_module.so;
+
 {{ if $cfg.UseGeoIP2 }}
 load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
 {{ end }}
diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile
index bd3453253..ff5aa8fb6 100644
--- a/test/e2e-image/Makefile
+++ b/test/e2e-image/Makefile
@@ -1,6 +1,6 @@
 
 DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
-E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230907-5bb82dcb7@sha256:421cda0f65a949b8b67b5e62a45071702d19ed458a3e2ba753171b0e66943210"
+E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20231011-8b53cabe0@sha256:ed0dad805c635e66469b4ac376010eebdd0b3fe62d753f58db1632d6f12f451d"
 
 image:
 	echo "..entered Makefile in /test/e2e-image"
diff --git a/test/e2e/HTTPBUN_IMAGE b/test/e2e/HTTPBUN_IMAGE
index 2d95865c7..7e83b49fe 100644
--- a/test/e2e/HTTPBUN_IMAGE
+++ b/test/e2e/HTTPBUN_IMAGE
@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20230505-v0.0.1
+registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20231011-8b53cabe0