DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

testing melange

Browse source 
Signed-off-by: James Strong <strong.james.e@gmail.com>
This commit is contained in:
James Strong 2022-09-27 18:57:46 -04:00 committed by James Strong
parent 057c1b26fb
commit 39e151710d
Failed to extract signature
35 changed files with 3434 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

208
.github/workflows/melange-nginx.yaml vendored Normal file
View file

@ -0,0 +1,208 @@
# Adding/removing/modifying supported Nginx version(s)?
# Do a search of this file for the string "versionmod"
# for all the parts of this file which might need changes
# See also "ignored-versions" in version-check.yaml
# TODO: minimize the total number of these
on:
push:
branches:
- main
- melange
# If README.md is generated by this job, do not re-run
paths-ignore:
- README.md
# schedule:
# - cron: '0 0 * * *'
# Allow manually triggered workflows by maintainers without any
# parameters to trigger a proactive rebuild (e.g. when a new
# ingress.yaml lands)
workflow_dispatch: {}
name: Create Release
# Don't run multiple releases concurrently.
concurrency: release
jobs:
build:
name: Release OCI image
runs-on: ubuntu-latest
outputs:
# versionmod
image-refs-1-19-10: ${{ steps.emit-refs.outputs.image-refs-1-19-10 }}
strategy:
matrix:
# versionmod
nginx-version: [1.19.10]
include:
- nginx-version: 1.19.10
sha256: e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
packages: write
contents: read
steps:
- uses: actions/checkout@v3
- uses: sigstore/cosign-installer@main
- name: Setup QEMU
uses: docker/setup-qemu-action@v2.0.0
- name: Melange build
id: melange
run: |
cd images/nginx
make melange
make index
# - id: ingress.yaml
# uses: distroless/actions/ingress.yaml-snapshot@main
# with:
# config: ingress.yaml.yaml
# base-tag: ghcr.io/${{ github.repository }}
# keyring-append: /github/workspace/melange.rsa.pub
# archs: x86_64,aarch64,armv7
# additional-tags: ${{ matrix.nginx-version }}
# image_refs: ingress.yaml.images
#
# - name: Emit Image Refs output
# id: emit-refs
# run: |
# # versionmod
# versions="1.19.10"
# echo "cat ingress.yaml.images | sed 's/\\$/\n/g' | grep -v '^\$' | jq -R -s -c 'split(\"\n\")[:-1]'" > refs-to-json.sh && chmod +x refs-to-json.sh
# trap "rm -f refs-to-json.sh" EXIT
# for version in ${versions//,/ }; do
# if [[ "${version}" == "${{ matrix.nginx-version }}" ]]; then
# key=image-refs-$(echo ${version} | sed 's|\.|-|g')
# value=$(./refs-to-json.sh | sed 's|"|\\"|g')
# echo ::set-output name=${key}::${value}
# break
# fi
# done
#
# - name: Smoke Test
# run: |
# IMAGE_NAME=$(docker load < output.tar | grep "Loaded image" | sed 's/^Loaded image: //')
# IMAGE_NAME=$IMAGE_NAME ./test.sh
#
# - name: Additional tags
# uses: distroless/actions/tag@main
# with:
# distroless_image: ghcr.io/${{ github.repository }}:${{ matrix.nginx-version }}
# docker_image_tag: ${{ matrix.nginx-version }}
# docker_image: "nginx"
#
# - if: ${{ failure() }}
# name: Setup debug upterm session
# uses: lhotari/action-upterm@v1
#
# # Merge the JSON lists of images published in the build job into a single output
# collect-image-refs:
# name: Collect image refs
# needs: build
# runs-on: ubuntu-latest
# outputs:
# image-refs: ${{ steps.combine.outputs.image-refs }}
# steps:
# - name: Combine image refs across all versions
# id: combine
# run: |
# rm -f image-refs-*.json
#
# # versionmod
# echo "${{ needs.build.outputs.image-refs-1-19-1 }}" > image-refs-1-19-1.json
#
# jq -c -s '.[]=([.[]]|flatten)|.[0]' image-refs-*.json > image-refs-combined.json
# echo "Combined image refs:"
# echo "---------------------------"
# cat image-refs-combined.json
# echo "---------------------------"
#
# echo ::set-output name=image-refs::$(cat image-refs-combined.json)
# rm -f image-refs-*.json
#
# scan:
# name: Scan ingress.yaml images
# needs: collect-image-refs
# runs-on: ubuntu-latest
#
# # https://docs.github.com/en/actions/reference/authentication-in-a-workflow
# permissions:
# id-token: write
# packages: write
# contents: read
#
# strategy:
# matrix:
# ref: ${{ fromJson(needs.collect-image-refs.outputs.image-refs) }}
# steps:
# - run: |
# echo ${{ matrix.ref }}
# - uses: distroless/actions/vul-scans@main
# id: scans
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ github.token }}
# image: ${{ matrix.ref }}
# RUN_SNYK: "false"
# RUN_GRYPE: "false"
# DOCKER_LOGIN: 'true'
# - name: Image Vulnerability scan output
# shell: bash
# env:
# SNYK_COUNT: ${{ steps.scans.outputs.SNYK_COUNT }}
# GRYPE_COUNT: ${{ steps.scans.outputs.GRYPE_COUNT }}
# TRIVY_COUNT: ${{ steps.scans.outputs.TRIVY_COUNT }}
# run: |
# echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
# echo "Image ID: ${{ matrix.ref }}" >> $GITHUB_STEP_SUMMARY
# echo "" >> $GITHUB_STEP_SUMMARY
# echo "Snyk Count: $SNYK_COUNT" >> $GITHUB_STEP_SUMMARY
# echo "Grype Count: $GRYPE_COUNT" >> $GITHUB_STEP_SUMMARY
# echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY
# generate-readme:
# name: Generate README
# needs: scan
# runs-on: ubuntu-latest
# permissions:
# id-token: write # Enable OIDC
# contents: write
# steps:
# - name: Checkout source
# uses: actions/checkout@v3
# - name: Generate README
# uses: distroless/readme-generator@main
# with:
# repo: https://github.com/distroless/nginx
# name: nginx
# location: distroless.dev/nginx
# description: "A minimal nginx base image rebuilt every night from source."
# exclude-tags: 1.20.2-r0,1.20.2,1.20,1.23.0
# output-path: README-GENERATED.md
# - name: Push new README back to the repo
# run: |
# set -x
# if [[ "$(diff README-GENERATED.md README.md)" == "" ]]; then
# echo "No diff detected in README. Skipping."
# exit 0
# fi
# git config user.name "Automated"
# git config user.email "actions@users.noreply.github.com"
# mv README-GENERATED.md README.md
# git add README.md
# git commit -m "Regenerate README.md" || exit 0
# git push

111
distroless-build/Makefile Normal file
View file

@ -0,0 +1,111 @@
# Copyright 2022 The Kubernetes Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
.DEFAULT_GOAL:=melange
# set default shell
SHELL=/bin/bash -o pipefail -o errexit
DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
# 0.0.0 shouldn't clobber any released builds
TAG ?= 0.0
REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
IMAGE ?= $(REGISTRY)/controller
ARCH := $(shell uname -m)
MELANGE_DIR ?= melange
APKO_DIR ?= apko
MELANGE ?= docker run --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest
MELANGE ?= docker run -d --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest
APKO ?= docker run --rm -v "${PWD}":/work distroless.dev/apko:latest
KEY ?= melange.rsa
REPO ?= packages
TEMPLATE ?= melange/nginx-templates.json
MELANGE_OPTS ?= --empty-workspace -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS}
KEY ?= melange.rsa
REPO ?= $(shell pwd)/packages
ARCHS?="amd64,arm64,arm/v6,arm/v7,s390x"
define build-package
docker run $(2) --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest build ${MELANGE_DIR}/$(1).yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})'
endef
keygen: ## Generate Key pair for use with signing apks
docker run --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest keygen
melange: ## Build melange $FILE
${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})'
apko-build: ## Build an apko pipeline with $KEY and $FILE
${APKO} build -k ${KEY}.pub --debug ${APKO_DIR}/${FILE}.yaml $(IMAGE):$(TAG) $(IMAGE)-$(TAG).tar
apko-push: ## Push apko built conatiner $IMAGE:$TAG to $REGISTRY
${APKO} publish -k ${KEY}.pub --debug ${APKO_DIR}/${FILE}.yaml $(IMAGE):$(TAG)
load: ## Load apko built image into docker
docker load < $(IMAGE)-$(TAG).tar
docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG)
docker push $(REGISTRY)/$(IMAGE):$(TAG)
build-all: clean-packages all-packages nginx-package ingress-packages ## Fresh build of all melange pipelines and apko files, default is all $ARCHS
nginx-test: ## Start $IMAGE:$TAG container and drop into bash shell
docker run --rm -it --entrypoint bash --env-file .env $(IMAGE):$(TAG)
shell: ## Start Alpine base container, mount PWD and drop into sh
docker run -it --rm -v "${PWD}":/work --entrypoint sh distroless.dev/alpine-base:latest
check_clean:
@echo -n "Are you sure? [y/N] " && read ans && [ $${ans:-N} = y ]
clean-packages: check_clean ## Deletes /packages directory, this will take 4 hours to rebuild, are you sure?
echo "deleting everything"
rm -rf packages/ && mkdir -p packages/
# order matters here, jaeger needs yaml etc
all-packages:
$(call build-package,mimaloc,"-d")
$(call build-package,ssdeep,"-d")
$(call build-package,opentracing,)
$(call build-package,msgpack,)
$(call build-package,datadog,)
$(call build-package,yaml,)
$(call build-package,zipkin,)
$(call build-package,jaeger,)
$(call build-package,luajit,)
$(call build-package,lua-resty-core,)
$(call build-package,modsecurity,)
$(call build-package,lua-resty-upload,"-d")
$(call build-package,lua-resty-string,"-d")
$(call build-package,lua-resty-redis,"-d")
$(call build-package,lua-resty-memcached,"-d")
$(call build-package,lua-resty-lock,"-d")
$(call build-package,lua-resty-ipmatcher,"-d")
$(call build-package,lua-resty-http,"-d")
$(call build-package,lua-resty-global-throttle,"-d")
$(call build-package,lua-resty-dns,"-d")
$(call build-package,lua-resty-cookie,"-d")
$(call build-package,lua-resty-cache,"-d")
$(call build-package,lua-resty-balancer,"-d")
$(call build-package,lua-cjson,"-d")
nginx-package:
$(call build-package,nginx)
ingress-packages:
$(call build-package,ingress-nginx-controller)
$(call build-package,dbg)
$(call build-package,wait-shutdown)

184
distroless-build/apko/ingress.yaml Normal file
View file

@ -0,0 +1,184 @@
include: apko/nginx.yaml
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- dbg@local
- waitshutdown@local
- ingress-nginx@local
- dumb-init
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
run-as: 10000
environments:
PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin"
LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;"
LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
LUA_INCLUDE_DIR: "/usr/local/include/luajit-2.1"
LUAJIT_LIB: "/usr/local/lib"
work-dir: /etc/nginx
entrypoint:
command: "/usr/bin/dumb-init --"
cmd: /nginx-ingress-controller
paths:
- path: /var/log/nginx/error.log
type: symlink
source: /dev/stderr
permissions: 0o755
- path: /var/log/nginx/access.log
type: symlink
source: /dev/stdout
permissions: 0o755
recursive: true
- path: /usr/bin/nginx
type: hardlink
source: /usr/local/nginx/sbin/nginx
permissions: 0o755
recursive: true
- path: /usr/local/
type: directory
permissions: 0o755
uid: 10000
gid: 10000
recursive: true
- path: /usr/include/lua5.1
type: directory
permissions: 0o755
uid: 10000
gid: 10000
recursive: true
- path: /usr/local/bin/lua
type: hardlink
source: /usr/local/bin/luajit
permissions: 0o755
- path: /sbin/nginx
type: hardlink
source: /usr/local/nginx/sbin/nginx
permissions: 0o755
- path: /var/lib/
type: directory
permissions: 0o755
uid: 10000
gid: 10000
recursive: true
- path: /var/log/nginx/
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /var/lib/nginx/
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /var/lib/nginx/body
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /usr/local/nginx
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /run/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /run/nginx.pid
uid: 10000
gid: 10000
type: empty-file
permissions: 0o755
recursive: true
- path: /etc/nginx/modules
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /etc/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /usr/local/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /opt/modsecurity/var/log
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /opt/modsecurity/var/upload
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /opt/modsecurity/var/audit
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /var/log
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /etc/ingress-controller
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /tmp/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /var/log/nginx/
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /var/log/audit
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
archs:
- amd64
- aarch64
- armv7

176
distroless-build/apko/nginx.yaml Normal file
View file

@ -0,0 +1,176 @@
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- '@local /work/packages'
packages:
- alpine-baselayout-data
- geoip-dev
- nginx@local
- opentracing@local
- msgpack-cpp@local
- datadog-cpp@local
- yaml-cpp@local
- zipkin-cpp@local
- modsecurity@local
- luaresty-balancer@local
- luacjson@local
- luajit@local
- lua-resty-cache@local
- lua-resty-cookie@local
- lua-resty-dns@local
- lua-resty-core@local
- lua-resty-global-throttle@local
- lua-resty-ipmatcher@local
- lua-resty-lock@local
- lua-resty-redis@local
- lua-resty-string@local
- lua-resty-upload@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
run-as: 10000
environments:
PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin"
LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;"
LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
LUA_INCLUDE_DIR: "/usr/local/include/luajit-2.1"
LUAJIT_LIB: "/usr/local/lib"
paths:
- path: /usr/local/
type: directory
permissions: 0o755
uid: 10000
gid: 10000
recursive: true
- path: /usr/include/lua5.1
type: directory
permissions: 0o755
uid: 10000
gid: 10000
recursive: true
- path: /usr/local/bin/lua
type: hardlink
source: /usr/local/bin/luajit
permissions: 0o755
- path: /sbin/nginx
type: hardlink
source: /usr/local/nginx/sbin/nginx
permissions: 0o755
- path: /var/lib/
type: directory
permissions: 0o755
uid: 10000
gid: 10000
recursive: true
- path: /var/log/nginx/
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /var/lib/nginx/
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /var/lib/nginx/body
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /usr/local/nginx
type: directory
uid: 10000
gid: 10000
permissions: 0o755
recursive: true
- path: /run/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /run/nginx.pid
uid: 10000
gid: 10000
type: empty-file
permissions: 0o755
recursive: true
- path: /etc/nginx/modules
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /etc/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /usr/local/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /opt/modsecurity/var/log
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /opt/modsecurity/var/upload
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /opt/modsecurity/var/audit
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /var/log
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /etc/ingress-controller
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /tmp/nginx
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /var/log/nginx/
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
- path: /var/log/audit
uid: 10000
gid: 10000
type: directory
permissions: 0o755
recursive: true
archs:
- amd64
- aarch64
- armv7

656
distroless-build/kind-deploy.yaml Normal file
View file

@ -0,0 +1,656 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-controller-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --watch-ingress-without-class=true
- --publish-status-address=localhost
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: localhost:5000/ingress:5005
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
ingress-ready: "true"
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 0
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Equal
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

62
distroless-build/melange/datadog.yaml Normal file
View file

@ -0,0 +1,62 @@
package:
name: datadog-cpp
version: {{ .DATADOG_CPP_VERSION }}
epoch: 0
description: "Datadog OpenTracing C++ Client"
target-architecture:
- all
copyright:
- paths:
- "*"
license: Apache-2.0 license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
- curl
- curl-dev
- opentracing@local
- msgpack-cpp@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/DataDog/dd-opentracing-cpp/archive/v{{ .DATADOG_CPP_VERSION }}.tar.gz
expected-sha256: {{ .DATADOG_CPP_VERSION_SHA }}
strip-components: 1
- name: 'Configure DATADOG_CPP'
with:
DATADOG_CPP_VERSION: {{ .DATADOG_CPP_VERSION }}
runs: |
# build datadog lib
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: dd-opentracing-cpp-{{ .DATADOG_CPP_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_TESTING=OFF \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true .
- uses: autoconf/make
- uses: autoconf/make-install

58
distroless-build/melange/dbg.yaml Normal file
View file

@ -0,0 +1,58 @@
package:
name: dbg
version: {{ .INGRESS_NGINX_VERSION }}
epoch: 0
description: "dbg is a tool for quickly inspecting the state of the nginx instance"
target-architecture:
- all
copyright:
- paths:
- "*"
attestation: TODO
license: Apache-2.0
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- ca-certificates-bundle
- tree
- go
- bash
- curl
- ca-certificates-bundle
- git
- openssh-client
- make
- gcc
- busybox
- build-base
pipeline:
- uses: git-checkout
with:
repository: https://github.com/kubernetes/ingress-nginx
tag: ${{package.version}}
- name: Build ingress-nginx controller from source
with:
PKG: {{ .PKG }}
TAG: {{ .TAG }}
COMMIT_SHA: {{ .COMMIT_SHA }}
REPO_INFO: {{ .REPO_INFO }}
runs: |
set -o errexit
set -o nounset
set -o pipefail
mkdir -p ${{targets.destdir}}
go build -v \
-trimpath -ldflags="-buildid= -w -s \
-X {{ .PKG }}/version.RELEASE={{ .TAG }} \
-X {{ .PKG }}/version.COMMIT={{ .COMMIT_SHA }} \
-X {{ .PKG }}/version.REPO={{ .REPO_INFO }}" \
-o "${{targets.destdir}}/dbg" {{ .PKG }}/cmd/dbg

58
distroless-build/melange/ingress-nginx-controller.yaml Normal file
View file

@ -0,0 +1,58 @@
package:
name: ingress-nginx
version: {{ .INGRESS_NGINX_VERSION }}
epoch: 0
description: "Ingress-NGINX Controller for Kubernetes"
target-architecture:
- all
copyright:
- paths:
- "*"
attestation: TODO
license: Apache-2.0
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- ca-certificates-bundle
- tree
- go
- bash
- curl
- ca-certificates-bundle
- git
- openssh-client
- make
pipeline:
- uses: git-checkout
with:
repository: https://github.com/kubernetes/ingress-nginx
tag: ${{package.version}}
- name: Build ingress-nginx controller from source
with:
PKG: {{ .PKG }}
TAG: {{ .TAG }}
COMMIT_SHA: {{ .COMMIT_SHA }}
REPO_INFO: {{ .REPO_INFO }}
runs: |
set -o errexit
set -o nounset
set -o pipefail
mkdir -p ${{targets.destdir}}
export CGO_ENABLED=0
go build -v \
-trimpath -ldflags="-buildid= -w -s \
-X {{ .PKG }}/version.RELEASE={{ .TAG }} \
-X {{ .PKG }}/version.COMMIT={{ .COMMIT_SHA }} \
-X {{ .PKG }}/version.REPO={{ .REPO_INFO }}" \
-o "${{targets.destdir}}/nginx-ingress-controller" {{ .PKG }}/cmd/nginx

94
distroless-build/melange/jaeger.yaml Normal file
View file

@ -0,0 +1,94 @@
package:
name: jaeger-cpp
version: {{ .JAEGER_VERSION }}
epoch: 0
description: "Jaeger SDK with OpenTracing API for C++ binding."
target-architecture:
- all
copyright:
- paths:
- "*"
license: MIT license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
- yaml-cpp@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/jaegertracing/jaeger-client-cpp/archive/v{{ .JAEGER_VERSION }}.tar.gz
expected-sha256: {{ .JAEGER_VERSION_SHA }}
strip-components: 1
- name: 'Configure '
with:
JAEGER_VERSION: {{ .JAEGER_VERSION }}
runs: |
set -o errexit
set -o nounset
set -o pipefail
echo "Arch: $(uname -m)"
ARCH=$(uname -m)
CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1))
mkdir -p ${{targets.destdir}}/etc/nginx
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: jaeger-client-cpp-{{ .JAEGER_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
# build jaeger lib
sed -i 's/-Werror/-Wno-psabi/' CMakeLists.txt
# use the above built yaml-cpp instead until a new version of jaeger-client-cpp fixes the yaml-cpp issue
# tl;dr new hunter is needed for new yaml-cpp, but new hunter has a conflict with old Thrift and new Boost
sed -i 's/hunter_add_package(yaml-cpp)/#hunter_add_package(yaml-cpp)/' CMakeLists.txt
sed -i 's/yaml-cpp::yaml-cpp/yaml-cpp/' CMakeLists.txt
cat <<EOF > export.map
{
global:
OpenTracingMakeTracerFactory;
local: *;
};
EOF
cmake -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=${{targets.destdir}} \
-DBUILD_TESTING=OFF \
-DJAEGERTRACING_BUILD_EXAMPLES=OFF \
-DJAEGERTRACING_BUILD_CROSSDOCK=OFF \
-DJAEGERTRACING_COVERAGE=OFF \
-DJAEGERTRACING_PLUGIN=ON \
-DHUNTER_CONFIGURATION_TYPES=Release \
-DBUILD_SHARED_LIBS=OFF \
-DJAEGERTRACING_WITH_YAML_CPP=ON \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true .
- uses: autoconf/make
- uses: autoconf/make-install
- run: |
mv libjaegertracing_plugin.so ${{targets.destdir}}/usr/local/lib/libjaegertracing_plugin.so

56
distroless-build/melange/lua-cjson.yaml Normal file
View file

@ -0,0 +1,56 @@
package:
name: luacjson
version: {{ .LUA_CJSON_VERSION }}
epoch: 0
description: "Lua CJSON is a fast JSON encoding/parsing module for Lua"
target-architecture:
- all
copyright:
- paths:
- "*"
license: MIT license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- luajit@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-cjson/archive/{{ .LUA_CJSON_VERSION }}.tar.gz
expected-sha256: {{ .LUA_CJSON_VERSION_SHA }}
strip-components: 1
- name: "Configure"
runs: |
export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1
ln -s /usr/local/bin/luajit /usr/local/bin/lua
ln -s "$LUAJIT_INC" /usr/local/include/lua
export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1
ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
ls -lah /usr/local/lib
make
make DESTDIR="${{targets.destdir}}" install

43
distroless-build/melange/lua-resty-balancer.yaml Normal file
View file

@ -0,0 +1,43 @@
package:
name: luaresty-balancer
version: {{ .LUA_RESTY_BALANCER_VERSION }}
epoch: 0
description: "A generic consistent hash implementation for OpenResty/Lua"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-balancer/archive/v{{ .LUA_RESTY_BALANCER_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_BALANCER_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make
- uses: autoconf/make-install

42
distroless-build/melange/lua-resty-cache.yaml Normal file
View file

@ -0,0 +1,42 @@
package:
name: lua-resty-cache
version: {{ .LUA_RESTY_CACHE }}
epoch: 0
description: "lua-resty-lrucache - Lua-land LRU cache based on the LuaJIT FFI."
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-lrucache/archive/v{{ .LUA_RESTY_CACHE }}.tar.gz
expected-sha256: {{ .LUA_RESTY_CACHE_SHA }}
strip-components: 1
- uses: autoconf/make-install

43
distroless-build/melange/lua-resty-cookie.yaml Normal file
View file

@ -0,0 +1,43 @@
package:
name: lua-resty-cookie
version: {{ .LUA_RESTY_COOKIE_VERSION }}
epoch: 0
description: "lua-resty-lrucache - Lua-land LRU cache based on the LuaJIT FFI."
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/cloudflare/lua-resty-cookie/archive/{{ .LUA_RESTY_COOKIE_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_COOKIE_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make
- uses: autoconf/make-install

56
distroless-build/melange/lua-resty-core.yaml Normal file
View file

@ -0,0 +1,56 @@
package:
name: lua-resty-core
version: {{ .LUA_RESTY_CORE }}
epoch: 0
description: "lua-resty-core - New FFI-based Lua API for ngx_http_lua_module and/or ngx_stream_lua_module"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- luajit@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-core/archive/v{{ .LUA_RESTY_CORE }}.tar.gz
expected-sha256: {{ .LUA_RESTY_CORE_SHA }}
strip-components: 1
- name: "Configure"
runs: |
export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1
ln -s /usr/local/bin/luajit /usr/local/bin/lua
ln -s "$LUAJIT_INC" /usr/local/include/lua
export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1
ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
ls -lah /usr/local/lib
make
make DESTDIR="${{targets.destdir}}" install

41
distroless-build/melange/lua-resty-dns.yaml Normal file
View file

@ -0,0 +1,41 @@
package:
name: lua-resty-dns
version: {{ .LUA_RESTY_DNS }}
epoch: 0
description: "lua-resty-lrucache - Lua-land LRU cache based on the LuaJIT FFI."
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-dns/archive/v{{ .LUA_RESTY_DNS }}.tar.gz
expected-sha256: {{ .LUA_RESTY_DNS_SHA }}
strip-components: 1
- uses: autoconf/make-install

41
distroless-build/melange/lua-resty-global-throttle.yaml Normal file
View file

@ -0,0 +1,41 @@
package:
name: lua-resty-global-throttle
version: {{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION }}
epoch: 0
description: "lua-resty-dns - Lua DNS resolver for the ngx_lua based on the cosocket API"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/v{{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make-install

42
distroless-build/melange/lua-resty-http.yaml Normal file
View file

@ -0,0 +1,42 @@
package:
name: lua-resty-http
version: {{ .LUA_RESTY_HTTP_VERSION }}
epoch: 0
description: "Lua HTTP client cosocket driver for OpenResty / ngx_lua."
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/ledgetech/lua-resty-http/archive/{{ .LUA_RESTY_HTTP_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_HTTP_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make-install

61
distroless-build/melange/lua-resty-ipmatcher.yaml Normal file
View file

@ -0,0 +1,61 @@
package:
name: lua-resty-ipmatcher
version: {{ .LUA_RESTY_IPMATCHER_VERSION }}
epoch: 0
description: "High-performance match IP address for Nginx + Lua"
target-architecture:
- all
copyright:
- paths:
- "*"
license: Apache-2.0 license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- luajit@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/api7/lua-resty-ipmatcher/archive/{{ .LUA_RESTY_IPMATCHER_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_IPMATCHER_VERSION_SHA }}
strip-components: 1
- name: "Configure"
run: |
- name: "Configure"
runs: |
export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1
ln -s /usr/local/bin/luajit /usr/local/bin/lua
ln -s "$LUAJIT_INC" /usr/local/include/lua
export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1
ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
ls -lah /usr/local/lib
#https://github.com/api7/lua-resty-ipmatcher/blob/master/Makefile#L22
export INST_LUADIR="${{targets.destdir}}"
make DESTDIR="${{targets.destdir}}" install

41
distroless-build/melange/lua-resty-lock.yaml Normal file
View file

@ -0,0 +1,41 @@
package:
name: lua-resty-lock
version: {{ .LUA_RESTY_LOCK }}
epoch: 0
description: "Simple nonblocking lock API for ngx_lua based on shared memory dictionaries"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-lock/archive/v{{ .LUA_RESTY_LOCK }}.tar.gz
expected-sha256: {{ .LUA_RESTY_LOCK_SHA }}
strip-components: 1
- uses: autoconf/make-install

42
distroless-build/melange/lua-resty-memcached.yaml Normal file
View file

@ -0,0 +1,42 @@
package:
name: lua-resty-memcached
version: {{ .LUA_RESTY_MEMCACHED_VERSION }}
epoch: 0
description: "Lua memcached client driver for the ngx_lua based on the cosocket API"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-memcached/archive/v{{ .LUA_RESTY_MEMCACHED_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_MEMCACHED_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make-install

41
distroless-build/melange/lua-resty-redis.yaml Normal file
View file

@ -0,0 +1,41 @@
package:
name: lua-resty-redis
version: {{ .LUA_RESTY_REDIS_VERSION }}
epoch: 0
description: "Lua redis client driver for the ngx_lua based on the cosocket API"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-redis/archive/v{{ .LUA_RESTY_REDIS_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_REDIS_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make-install

42
distroless-build/melange/lua-resty-string.yaml Normal file
View file

@ -0,0 +1,42 @@
package:
name: lua-resty-string
version: {{ .LUA_RESTY_STRING_VERSION }}
epoch: 0
description: "String utilities and common hash functions for ngx_lua and LuaJIT"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-string/archive/{{ .LUA_RESTY_STRING_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_STRING_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make-install

42
distroless-build/melange/lua-resty-upload.yaml Normal file
View file

@ -0,0 +1,42 @@
package:
name: lua-resty-upload
version: {{ .LUA_RESTY_UPLOAD_VERSION }}
epoch: 0
description: "Streaming reader and parser for http file uploading based on ngx_lua cosocket"
target-architecture:
- all
copyright:
- paths:
- "*"
license: BSD license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/lua-resty-upload/archive/v{{ .LUA_RESTY_UPLOAD_VERSION }}.tar.gz
expected-sha256: {{ .LUA_RESTY_UPLOAD_VERSION_SHA }}
strip-components: 1
- uses: autoconf/make-install

74
distroless-build/melange/luajit.yaml Normal file
View file

@ -0,0 +1,74 @@
package:
name: luajit
version: {{ .LUAJIT_VERSION }}
epoch: 0
description: "openresty/luajit2 - OpenResty's maintained branch of LuaJIT."
target-architecture:
- all
copyright:
- paths:
- "*"
license: MIT license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/openresty/luajit2/archive/v{{ .LUAJIT_VERSION }}.tar.gz
expected-sha256: {{ .LUAJIT_VERSION_SHA }}
strip-components: 1
- name: 'Configure LUAJIT'
with:
LUAJIT_VERSION: {{ .LUAJIT_VERSION }}
runs: |
set -o errexit
set -o nounset
set -o pipefail
echo "Arch: $(uname -m)"
ARCH=$(uname -m)
CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1))
mkdir -p ${{targets.destdir}}/etc/nginx
export MAKEFLAGS=-j${CORES}
export CTEST_BUILD_FLAGS=${MAKEFLAGS}
export HUNTER_JOBS_NUMBER=${CORES}
export HUNTER_USE_CACHE_SERVERS=true
# Install luajit from openresty fork
export LUAJIT_LIB=${{targets.destdir}}/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=${{targets.destdir}}/usr/local/include/luajit-2.1
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: luajit2-{{ .LUAJIT_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
make CCDEBUG=-g
- uses: autoconf/make-install

49
distroless-build/melange/mimaloc.yaml Normal file
View file

@ -0,0 +1,49 @@
package:
name: mimalloc
version: {{ .MIMALOC_VERSION }}
epoch: 0
description: "mimalloc is a compact general purpose allocator with excellent performance."
target-architecture:
- all
copyright:
- paths:
- "*"
license: MIT license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/microsoft/mimalloc/archive/refs/tags/v{{ .MIMALOC_VERSION }}.tar.gz
expected-sha256: {{ .MIMALOC_VERSION_SHA }}
strip-components: 1
- name: 'Configure MIMALOC'
with:
MIMALOC_VERSION: {{ .MIMALOC_VERSION }}
runs: |
ls -lah
cmake .
- uses: autoconf/make
- uses: autoconf/make-install

88
distroless-build/melange/modsecurity.yaml Normal file
View file

@ -0,0 +1,88 @@
package:
name: modsecurity
version: {{ .MODSECURITY_LIB_VERSION }}
epoch: 0
description: "ModSecurity is an open source, cross platform web application firewall (WAF) engine"
target-architecture:
- all
copyright:
- paths:
- "*"
license: Apache-2.0 license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- git
- cmake
- autoconf
- automake
- pkgconf
- make
- automake
- libtool
- curl
- curl-dev
- libxml2
- pcre
- pcre-dev
- linux-headers
- luajit@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: git-checkout
with:
repository: https://github.com/SpiderLabs/ModSecurity
branch: {{ .MODSECURITY_LIB_VERSION }}
- name: 'Configure MODSECURITY'
with:
MODSECURITY_LIB_VERSION: {{ .MODSECURITY_LIB_VERSION }}
runs: |
set -o errexit
set -o nounset
set -o pipefail
# build modsecurity library
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: modsecurity {{ .MODSECURITY_LIB_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1
ls -lah
git submodule init
git submodule update
sh build.sh
# https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762
sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4
sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4
./configure \
--disable-doxygen-doc \
--disable-doxygen-html \
--disable-examples
- uses: autoconf/make
- uses: autoconf/make-install

58
distroless-build/melange/msgpack.yaml Normal file
View file

@ -0,0 +1,58 @@
package:
name: msgpack-cpp
version: {{ .MSGPACK_VERSION }}
epoch: 0
description: "msgpack for C/C++."
target-architecture:
- all
copyright:
- paths:
- "*"
license: Boost Software License - Version 1.0
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
-
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/msgpack/msgpack-c/archive/cpp-{{ .MSGPACK_VERSION }}.tar.gz
expected-sha256: {{ .MSGPACK_VERSION_SHA }}
strip-components: 1
- name: 'Configure MSGPACK'
with:
YAML_CPP_VERSION: {{ .YAML_CPP_VERSION }}
runs: |
# build msgpack lib
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: msgpack-c-cpp-{{ .MSGPACK_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_SHARED_LIBS=OFF \
-DMSGPACK_BUILD_EXAMPLES=OFF \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true .
- uses: autoconf/make
- uses: autoconf/make-install

77
distroless-build/melange/nginx-templates-s390x.json Normal file
View file

@ -0,0 +1,77 @@
{
"NGINX_VERSION": "1.19.10",
"NGINX_SHA": "e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88",
"NDK_VERSION": "0.3.1",
"NDK_VERSION_SHA": "0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85",
"SETMISC_VERSION": "0.32",
"SETMISC_VERSION_SHA": "f1ad2459c4ee6a61771aa84f77871f4bfe42943a4aa4c30c62ba3f981f52c201",
"MORE_HEADERS_VERSION": "0.33",
"MORE_HEADERS_VERSION_SHA": "a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf",
"NGINX_DIGEST_AUTH": "1.0.0",
"NGINX_DIGEST_AUTH_SHA": "f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b",
"NGINX_SUBSTITUTIONS": "b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0",
"NGINX_SUBSTITUTIONS_SHA": "a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f",
"NGINX_OPENTRACING_VERSION": "0.19.0",
"NGINX_OPENTRACING_VERSION_SHA": "6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17",
"OPENTRACING_CPP_VERSION": "f86b33f3d9e7322b1298ba62d5ffa7a9519c4c41",
"OPENTRACING_CPP_VERSION_SHA": "cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea",
"ZIPKIN_CPP_VERSION": "f69593138ff84ca2f6bc115992e18ca3d35f344a",
"ZIPKIN_CPP_VERSION_SHA": "71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270",
"YAML_CPP_VERSION": "yaml-cpp-0.7.0",
"YAML_CPP_VERSION_SHA": "43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3",
"JAEGER_VERSION": "0.7.0",
"JAEGER_VERSION_SHA": "3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994",
"MSGPACK_VERSION": "3.3.0",
"MSGPACK_VERSION_SHA": "754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b",
"DATADOG_CPP_VERSION": "1.3.2",
"DATADOG_CPP_VERSION_SHA": "586f92166018cc27080d34e17c59d68219b85af745edf3cc9fe41403fc9b4ac6",
"MODSECURITY_NGINX_VERSION": "1.0.2",
"MODSECURITY_NGINX_VERSION_SHA": "f8d3ff15520df736c5e20e91d5852ec27e0874566c2afce7dcb979e2298d6980",
"MODSECURITY_LIB_VERSION": "v3.0.5",
"MODSECURITY_LIB_VERSION_SHA": "9498cf687f03dcd68313be2ce5dea7936c3f02e460e74d1075f4beb272473b6e",
"OWASP_MODSECURITY_CRS_VERSION": "v3.3.2",
"LUA_NGX_VERSION": "0.10.15",
"LUA_NGX_VERSION_SHA": "7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2",
"LUA_STREAM_NGX_VERSION": "0.0.7",
"LUA_STREAM_NGX_VERSION_SHA": "99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9",
"LUA_UPSTREAM_VERSION": "8aa93ead98ba2060d4efd594ae33a35d153589bf",
"LUA_UPSTREAM_VERSION_SHA": "a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f",
"LUA_CJSON_VERSION": "4b350c531de3d71008c77ae94e59275b8371b4dc",
"LUA_CJSON_VERSION_SHA": "8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238",
"NGINX_INFLUXDB_VERSION": "5b09391cb7b9a889687c0aa67964c06a2d933e8b",
"NGINX_INFLUXDB_VERSION_SHA": "1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e",
"GEOIP2_VERSION": "a26c6beed77e81553686852dceb6c7fdacc5970d",
"GEOIP2_VERSION_SHA": "4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b",
"NGINX_AJP_VERSION": "a964a0bcc6a9f2bfb82a13752d7794a36319ffac",
"NGINX_AJP_VERSION_SHA": "94d1512bf0e5e6ffa4eca0489db1279d51f45386fffcb8a1d2d9f7fe93518465",
"LUAJIT_VERSION": "9d5750d28478abfdcaefdfdc408f87752a21e431",
"LUAJIT_VERSION_SHA": "266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75",
"LUA_RESTY_BALANCER_VERSION": "0.04",
"LUA_RESTY_BALANCER_VERSION_SHA": "16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5",
"LUA_RESTY_CACHE": "0.11",
"LUA_RESTY_CACHE_SHA": "e810ed124fe788b8e4aac2c8960dda1b9a6f8d0ca94ce162f28d3f4d877df8af",
"LUA_RESTY_CORE": "0.1.17",
"LUA_RESTY_CORE_SHA": "8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4",
"LUA_RESTY_COOKIE_VERSION": "303e32e512defced053a6484bc0745cf9dc0d39e",
"LUA_RESTY_COOKIE_VERSION_SHA": "5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4",
"LUA_RESTY_DNS": "0.22",
"LUA_RESTY_DNS_SHA": "70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0",
"LUA_RESTY_HTTP_VERSION": "0ce55d6d15da140ecc5966fa848204c6fd9074e8",
"LUA_RESTY_HTTP_VERSION_SHA": "9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f",
"LUA_RESTY_LOCK": "0.08",
"LUA_RESTY_LOCK_SHA": "2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2",
"LUA_RESTY_UPLOAD_VERSION": "0.10",
"LUA_RESTY_UPLOAD_VERSION_SHA": "5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd",
"LUA_RESTY_STRING_VERSION": "9ace36f2dde09451c377c839117ade45eb02d460",
"LUA_RESTY_STRING_VERSION_SHA": "462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853",
"LUA_RESTY_MEMCACHED_VERSION": "0.16",
"LUA_RESTY_MEMCACHED_VERSION_SHA": "42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396",
"LUA_RESTY_REDIS_VERSION": "0.29",
"LUA_RESTY_REDIS_VERSION_SHA": "3f602af507aacd1f7aaeddfe7b77627fcde095fe9f115cb9d6ad8de2a52520e1",
"LUA_RESTY_IPMATCHER_VERSION": "211e0d2eb8bbb558b79368f89948a0bafdc23654",
"LUA_RESTY_IPMATCHER_VERSION_SHA": "b8dbd502751140993a852381bcd8e98a402454596bd91838c1e51268d42db261",
"LUA_RESTY_GLOBAL_THROTTLE_VERSION": "0.2.0",
"LUA_RESTY_GLOBAL_THROTTLE_VERSION_SHA": "0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea",
"MIMALOC_VERSION": "1.7.6",
"MIMALOC_VERSION_SHA": "d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da"
}

82
distroless-build/melange/nginx-templates.json Normal file
View file

@ -0,0 +1,82 @@
{
"INGRESS_NGINX_VERSION": "main",
"PKG": "k8s.io/ingress-nginx",
"TAG": "main",
"COMMIT_SHA": "cee95b50a",
"REPO_INFO": "git@github.com:kubernetes/ingress-nginx.git",
"NGINX_VERSION": "1.19.10",
"NGINX_SHA": "e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88",
"NDK_VERSION": "0.3.1",
"NDK_VERSION_SHA": "0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85",
"SETMISC_VERSION": "0.32",
"SETMISC_VERSION_SHA": "f1ad2459c4ee6a61771aa84f77871f4bfe42943a4aa4c30c62ba3f981f52c201",
"MORE_HEADERS_VERSION": "0.33",
"MORE_HEADERS_VERSION_SHA": "a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf",
"NGINX_DIGEST_AUTH": "1.0.0",
"NGINX_DIGEST_AUTH_SHA": "f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b",
"NGINX_SUBSTITUTIONS": "b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0",
"NGINX_SUBSTITUTIONS_SHA": "a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f",
"NGINX_OPENTRACING_VERSION": "0.19.0",
"NGINX_OPENTRACING_VERSION_SHA": "6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17",
"OPENTRACING_CPP_VERSION": "f86b33f3d9e7322b1298ba62d5ffa7a9519c4c41",
"OPENTRACING_CPP_VERSION_SHA": "cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea",
"ZIPKIN_CPP_VERSION": "f69593138ff84ca2f6bc115992e18ca3d35f344a",
"ZIPKIN_CPP_VERSION_SHA": "71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270",
"YAML_CPP_VERSION": "yaml-cpp-0.7.0",
"YAML_CPP_VERSION_SHA": "43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3",
"JAEGER_VERSION": "0.7.0",
"JAEGER_VERSION_SHA": "3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994",
"MSGPACK_VERSION": "3.3.0",
"MSGPACK_VERSION_SHA": "754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b",
"DATADOG_CPP_VERSION": "1.3.2",
"DATADOG_CPP_VERSION_SHA": "586f92166018cc27080d34e17c59d68219b85af745edf3cc9fe41403fc9b4ac6",
"MODSECURITY_NGINX_VERSION": "1.0.2",
"MODSECURITY_NGINX_VERSION_SHA": "f8d3ff15520df736c5e20e91d5852ec27e0874566c2afce7dcb979e2298d6980",
"MODSECURITY_LIB_VERSION": "v3.0.5",
"MODSECURITY_LIB_VERSION_SHA": "9498cf687f03dcd68313be2ce5dea7936c3f02e460e74d1075f4beb272473b6e",
"OWASP_MODSECURITY_CRS_VERSION": "v3.3.2",
"LUA_NGX_VERSION": "b721656a9127255003b696b42ccc871c7ec18d59",
"LUA_NGX_VERSION_SHA": "085a9fb2bf9c4466977595a5fe5156d76f3a2d9a2a81be3cacaff2021773393e",
"LUA_STREAM_NGX_VERSION": "74f8c8bca5b95cecbf42d4e1a465bc08cd075a9b",
"LUA_STREAM_NGX_VERSION_SHA": "ba38c9f8e4265836ba7f2ac559ddf140693ff2f5ae33ab1e384f51f3992151ab",
"LUA_UPSTREAM_VERSION": "8aa93ead98ba2060d4efd594ae33a35d153589bf",
"LUA_UPSTREAM_VERSION_SHA": "a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f",
"LUA_CJSON_VERSION": "4b350c531de3d71008c77ae94e59275b8371b4dc",
"LUA_CJSON_VERSION_SHA": "8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238",
"NGINX_INFLUXDB_VERSION": "5b09391cb7b9a889687c0aa67964c06a2d933e8b",
"NGINX_INFLUXDB_VERSION_SHA": "1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e",
"GEOIP2_VERSION": "a26c6beed77e81553686852dceb6c7fdacc5970d",
"GEOIP2_VERSION_SHA": "4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b",
"NGINX_AJP_VERSION": "a964a0bcc6a9f2bfb82a13752d7794a36319ffac",
"NGINX_AJP_VERSION_SHA": "94d1512bf0e5e6ffa4eca0489db1279d51f45386fffcb8a1d2d9f7fe93518465",
"LUAJIT_VERSION": "2.1-20210510",
"LUAJIT_VERSION_SHA": "1ee6dad809a5bb22efb45e6dac767f7ce544ad652d353a93d7f26b605f69fe3f",
"LUA_RESTY_BALANCER_VERSION": "0.04",
"LUA_RESTY_BALANCER_VERSION_SHA": "16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5",
"LUA_RESTY_CACHE": "0.11",
"LUA_RESTY_CACHE_SHA": "e810ed124fe788b8e4aac2c8960dda1b9a6f8d0ca94ce162f28d3f4d877df8af",
"LUA_RESTY_CORE": "0.1.22",
"LUA_RESTY_CORE_SHA": "4d971f711fad48c097070457c128ca36053835d8a3ba25a937e9991547d55d4d",
"LUA_RESTY_COOKIE_VERSION": "303e32e512defced053a6484bc0745cf9dc0d39e",
"LUA_RESTY_COOKIE_VERSION_SHA": "5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4",
"LUA_RESTY_DNS": "0.22",
"LUA_RESTY_DNS_SHA": "70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0",
"LUA_RESTY_HTTP_VERSION": "0ce55d6d15da140ecc5966fa848204c6fd9074e8",
"LUA_RESTY_HTTP_VERSION_SHA": "9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f",
"LUA_RESTY_LOCK": "0.08",
"LUA_RESTY_LOCK_SHA": "2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2",
"LUA_RESTY_UPLOAD_VERSION": "0.10",
"LUA_RESTY_UPLOAD_VERSION_SHA": "5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd",
"LUA_RESTY_STRING_VERSION": "9ace36f2dde09451c377c839117ade45eb02d460",
"LUA_RESTY_STRING_VERSION_SHA": "462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853",
"LUA_RESTY_MEMCACHED_VERSION": "0.16",
"LUA_RESTY_MEMCACHED_VERSION_SHA": "42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396",
"LUA_RESTY_REDIS_VERSION": "0.29",
"LUA_RESTY_REDIS_VERSION_SHA": "3f602af507aacd1f7aaeddfe7b77627fcde095fe9f115cb9d6ad8de2a52520e1",
"LUA_RESTY_IPMATCHER_VERSION": "211e0d2eb8bbb558b79368f89948a0bafdc23654",
"LUA_RESTY_IPMATCHER_VERSION_SHA": "b8dbd502751140993a852381bcd8e98a402454596bd91838c1e51268d42db261",
"LUA_RESTY_GLOBAL_THROTTLE_VERSION": "0.2.0",
"LUA_RESTY_GLOBAL_THROTTLE_VERSION_SHA": "0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea",
"MIMALOC_VERSION": "1.7.6",
"MIMALOC_VERSION_SHA": "d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da"
}

469
distroless-build/melange/nginx.yaml Normal file
View file

@ -0,0 +1,469 @@
package:
name: nginx
version: {{ .NGINX_VERSION }}
epoch: 0
description: "the nginx webserver built for ingress-nginx"
target-architecture:
- all
copyright:
- paths:
- "*"
attestation: TODO
license: BSD-2-Clause
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- scanelf
- ssl_client
- ca-certificates-bundle
- brotli-dev
- gd-dev
- geoip-dev
- libmaxminddb-dev
- libxml2-dev
- libxslt-dev
- linux-headers
- pcre-dev
- pkgconf
- zeromq-dev
- zlib-dev
- bash
- gcc
- clang
- libc-dev
- make
- automake
- openssl-dev
- pcre-dev
- zlib-dev
- linux-headers
- libxslt-dev
- gd-dev
- geoip-dev
- perl-dev
- libedit-dev
- mercurial
- alpine-sdk
- findutils
- curl
- ca-certificates
- patch
- libaio-dev
- openssl
- cmake
- util-linux
- lmdb-tools
- wget
- curl-dev
- libprotobuf
- git
- g++
- flex
- bison
- doxygen
- yajl-dev
- lmdb-dev
- libtool
- autoconf
- libxml2
- libxml2-dev
- python3
- libmaxminddb-dev
- bc
- unzip
- dos2unix
- libcrypto1.1
- libcrypto3
- libsrt
- opentracing@local
- msgpack-cpp@local
- datadog-cpp@local
- yaml-cpp@local
- zipkin-cpp@local
- modsecurity@local
- luajit@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/SpiderLabs/ModSecurity-nginx/archive/v{{ .MODSECURITY_NGINX_VERSION }}.tar.gz
expected-sha256: {{ .MODSECURITY_NGINX_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/simpl/ngx_devel_kit/archive/v{{ .NDK_VERSION }}.tar.gz
expected-sha256: {{ .NDK_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/openresty/set-misc-nginx-module/archive/v{{.SETMISC_VERSION}}.tar.gz
expected-sha256: {{.SETMISC_VERSION_SHA}}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/openresty/headers-more-nginx-module/archive/v{{ .MORE_HEADERS_VERSION }}.tar.gz
expected-sha256: {{ .MORE_HEADERS_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/atomx/nginx-http-auth-digest/archive/v{{.NGINX_DIGEST_AUTH}}.tar.gz
expected-sha256: {{ .NGINX_DIGEST_AUTH_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/{{.NGINX_SUBSTITUTIONS}}.tar.gz
expected-sha256: {{ .NGINX_SUBSTITUTIONS_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/opentracing-contrib/nginx-opentracing/archive/v{{ .NGINX_OPENTRACING_VERSION }}.tar.gz
expected-sha256: {{ .NGINX_OPENTRACING_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/openresty/lua-nginx-module/archive/{{ .LUA_NGX_VERSION }}.tar.gz
expected-sha256: {{ .LUA_NGX_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/openresty/stream-lua-nginx-module/archive/{{ .LUA_STREAM_NGX_VERSION }}.tar.gz
expected-sha256: {{ .LUA_STREAM_NGX_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/openresty/lua-upstream-nginx-module/archive/{{ .LUA_UPSTREAM_VERSION }}.tar.gz
expected-sha256: {{ .LUA_UPSTREAM_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/influxdata/nginx-influxdb-module/archive/{{ .NGINX_INFLUXDB_VERSION }}.tar.gz
expected-sha256: {{ .NGINX_INFLUXDB_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/leev/ngx_http_geoip2_module/archive/{{ .GEOIP2_VERSION }}.tar.gz
expected-sha256: {{ .GEOIP2_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://github.com/yaoweibin/nginx_ajp_module/archive/{{ .NGINX_AJP_VERSION }}.tar.gz
expected-sha256: {{ .NGINX_AJP_VERSION_SHA }}
strip-components: 0
- uses: fetch
with:
uri: https://nginx.org/download/${{package.name}}-${{package.version}}.tar.gz
expected-sha256: {{ .NGINX_SHA }}
strip-components: 0
- name: 'Configure nginx'
with:
NGINX_VERSION: {{ .NGINX_VERSION }}
NDK_VERSION: {{ .NDK_VERSION }}
SETMISC_VERSION: {{ .SETMISC_VERSION}}
MORE_HEADERS_VERSION: {{ .MORE_HEADERS_VERSION }}
NGINX_DIGEST_AUTH: {{ .NGINX_DIGEST_AUTH }}
NGINX_SUBSTITUTIONS: {{ .NGINX_SUBSTITUTIONS }}
NGINX_OPENTRACING_VERSION: {{ .NGINX_OPENTRACING_VERSION }}
DATADOG_CPP_VERSION: {{ .DATADOG_CPP_VERSION }}
MODSECURITY_NGINX_VERSION: {{ .MODSECURITY_NGINX_VERSION }}
MODSECURITY_LIB_VERSION: {{ .MODSECURITY_LIB_VERSION }}
OWASP_MODSECURITY_CRS_VERSION: {{ .OWASP_MODSECURITY_CRS_VERSION }}
LUA_NGX_VERSION: {{ .LUA_NGX_VERSION }}
LUA_STREAM_NGX_VERSION: {{ .LUA_STREAM_NGX_VERSION }}
LUA_UPSTREAM_VERSION: {{ .LUA_UPSTREAM_VERSION }}
LUA_CJSON_VERSION: {{ .LUA_CJSON_VERSION }}
NGINX_INFLUXDB_VERSION: {{ .NGINX_INFLUXDB_VERSION }}
GEOIP2_VERSION: {{ .GEOIP2_VERSION }}
NGINX_AJP_VERSION: {{ .NGINX_AJP_VERSION }}
LUAJIT_VERSION: {{ .LUAJIT_VERSION }}
LUA_RESTY_CACHE: {{ .LUA_RESTY_CACHE }}
LUA_RESTY_CORE: {{ .LUA_RESTY_CORE }}
LUA_RESTY_COOKIE_VERSION: {{ .LUA_RESTY_COOKIE_VERSION }}
LUA_RESTY_DNS: {{ .LUA_RESTY_DNS }}
LUA_RESTY_HTTP_VERSION: {{ .LUA_RESTY_HTTP_VERSION }}
LUA_RESTY_LOCK: {{ .LUA_RESTY_LOCK }}
LUA_RESTY_UPLOAD_VERSION: {{ .LUA_RESTY_UPLOAD_VERSION }}
LUA_RESTY_STRING_VERSION: {{ .LUA_RESTY_STRING_VERSION }}
LUA_RESTY_MEMCACHED_VERSION: {{ .LUA_RESTY_MEMCACHED_VERSION }}
LUA_RESTY_REDIS_VERSION: {{ .LUA_RESTY_REDIS_VERSION }}
LUA_RESTY_IPMATCHER_VERSION: {{ .LUA_RESTY_IPMATCHER_VERSION }}
LUA_RESTY_GLOBAL_THROTTLE_VERSION: {{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION }}
MIMALOC_VERSION: {{ .MIMALOC_VERSION }}
runs: |
set -o errexit
set -o nounset
set -o pipefail
export BUILD_PATH="${PWD}"
echo "BUILD_PATH $BUILD_PATH"
echo "Arch: $(uname -m)"
export HUNTER_INSTALL_DIR=$(cat _3rdParty/Hunter/install-root-dir)
export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1
export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1
ln -s /usr/local/bin/luajit /usr/local/bin/lua
ln -s "$LUAJIT_INC" /usr/local/include/lua
ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
ARCH=$(uname -m)
# Get Brotli source and deps
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: ngx_brotl ::::"
echo "::::::::::::::::::::::::::::::::::::::"
cd "$BUILD_PATH"
git clone --depth=1 https://github.com/google/ngx_brotli.git
cd ngx_brotli
git submodule init
git submodule update
git clone --depth=1 -b {{ .MODSECURITY_LIB_VERSION }} https://github.com/SpiderLabs/ModSecurity
mkdir -p ${{targets.destdir}}/etc/nginx/modsecurity
cp ModSecurity/modsecurity.conf-recommended ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf
cp ModSecurity/unicode.mapping ${{targets.destdir}}/etc/nginx/modsecurity/unicode.mapping
# Replace serial logging with concurrent
sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf
# Concurrent logging implies the log is stored in several files
echo "SecAuditLogStorageDir /var/log/audit/" >> ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf
# Download owasp modsecurity crs
cd ${{targets.destdir}}/etc/nginx/
git clone -b {{ .OWASP_MODSECURITY_CRS_VERSION }} https://github.com/coreruleset/coreruleset owasp-modsecurity-crs
cd owasp-modsecurity-crs
mv crs-setup.conf.example crs-setup.conf
mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd ${{targets.destdir}}/etc/nginx/
# OWASP CRS v3 rules
echo '
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
' > ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: nginx-{{ .NGINX_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
cd "$BUILD_PATH/nginx-{{ .NGINX_VERSION }}"
WITH_FLAGS="--with-debug \
--with-compat \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-http_secure_link_module \
--with-http_gunzip_module"
# "Combining -flto with -g is currently experimental and expected to produce unexpected results."
# https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
CC_OPT="-g -O2 -fPIE -fstack-protector-strong \
-Wformat \
-Werror=format-security \
-Wno-deprecated-declarations \
-fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 \
--param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \
-fPIC \
-I$HUNTER_INSTALL_DIR/include \
-Wno-cast-function-type"
LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib"
WITH_FLAGS="--with-debug \
--with-compat \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-http_secure_link_module \
--with-http_gunzip_module"
WITH_MODULES=" \
--add-module=${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \
--add-module=${BUILD_PATH}/set-misc-nginx-module-{{ .SETMISC_VERSION }} \
--add-module=${BUILD_PATH}/headers-more-nginx-module-{{ .MORE_HEADERS_VERSION }} \
--add-module=${BUILD_PATH}/ngx_http_substitutions_filter_module-{{ .NGINX_SUBSTITUTIONS }} \
--add-module=${BUILD_PATH}/lua-nginx-module-{{ .LUA_NGX_VERSION }} \
--add-module=${BUILD_PATH}/stream-lua-nginx-module-{{ .LUA_STREAM_NGX_VERSION }} \
--add-module=${BUILD_PATH}/lua-upstream-nginx-module-{{ .LUA_UPSTREAM_VERSION }} \
--add-module=${BUILD_PATH}/nginx_ajp_module-{{ .NGINX_AJP_VERSION }} \
--add-dynamic-module=${BUILD_PATH}/nginx-http-auth-digest-{{ .NGINX_DIGEST_AUTH }} \
--add-dynamic-module=${BUILD_PATH}/nginx-influxdb-module-{{ .NGINX_INFLUXDB_VERSION }} \
--add-dynamic-module=${BUILD_PATH}/nginx-opentracing-{{ .NGINX_OPENTRACING_VERSION }}/opentracing \
--add-dynamic-module=${BUILD_PATH}/ModSecurity-nginx-{{ .MODSECURITY_NGINX_VERSION }} \
--add-dynamic-module=${BUILD_PATH}/ngx_http_geoip2_module-{{ .GEOIP2_VERSION }} \
--add-dynamic-module=${BUILD_PATH}/ngx_brotli"
# "Combining -flto with -g is currently experimental and expected to produce unexpected results."
# https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
CC_OPT="-g -O2 -fPIE -fstack-protector-strong \
-Wformat \
-Werror=format-security \
-Wno-deprecated-declarations \
-fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 \
--param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \
-fPIC \
-I$HUNTER_INSTALL_DIR/include \
-Wno-cast-function-type"
LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib"
if [[ ${ARCH} != "aarch64" ]]; then
WITH_FLAGS="${WITH_FLAGS} --with-file-aio"
fi
if [[ ${ARCH} == "x86_64" ]]; then
CC_OPT="${CC_OPT} -m64 -mtune=generic"
fi
echo "::::::::::::::::::::::::::::::::::::::::::::::::"
echo ":::: Configuring nginx-{{ .NGINX_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::::::::::::"
./configure \
--prefix=/usr/local/nginx \
--conf-path=/etc/nginx/nginx.conf \
--modules-path=/etc/nginx/modules \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
${WITH_FLAGS} \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--with-cc-opt="${CC_OPT}" \
--with-ld-opt="${LD_OPT}" \
--user=www-data \
--group=www-data \
${WITH_MODULES}
echo "::::::::::::::::::::::::::::::::::::::::::"
echo ":::: MAKE nginx-{{ .NGINX_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::::::"
make
echo "::::::::::::::::::::::::::::::::::::::::::::"
echo ":::: MODULES nginx-{{ .NGINX_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::::::::"
make DESTDIR="${{targets.destdir}}" modules
echo "::::::::::::::::::::::::::::::::::::::::::::"
echo ":::: INSTALL nginx-{{ .NGINX_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::::::::"
make DESTDIR="${{targets.destdir}}" install
echo "::::::::::::::::::::::::::::::::::::::::::::"
echo ":::::::::::::::: CLEANUP :::::::::::::::::::"
echo "::::::::::::::::::::::::::::::::::::::::::::"
echo "Clean up owasp-modsecurity-crs"
rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git
rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests
echo "Clean up everything else"
cd ${BUILD_PATH}
rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \
${BUILD_PATH}/set-misc-nginx-module-{{ .SETMISC_VERSION }} \
${BUILD_PATH}/headers-more-nginx-module-{{ .MORE_HEADERS_VERSION }} \
${BUILD_PATH}/ngx_http_substitutions_filter_module-{{ .NGINX_SUBSTITUTIONS }} \
${BUILD_PATH}/lua-nginx-module-{{ .LUA_NGX_VERSION }} \
${BUILD_PATH}/stream-lua-nginx-module-{{ .LUA_STREAM_NGX_VERSION }} \
${BUILD_PATH}/lua-upstream-nginx-module-{{ .LUA_UPSTREAM_VERSION }} \
${BUILD_PATH}/nginx_ajp_module-{{ .NGINX_AJP_VERSION }} \
${BUILD_PATH}/nginx-http-auth-digest-{{ .NGINX_DIGEST_AUTH }} \
${BUILD_PATH}/nginx-influxdb-module-{{ .NGINX_INFLUXDB_VERSION }} \
${BUILD_PATH}/nginx-opentracing-{{ .NGINX_OPENTRACING_VERSION }}/opentracing \
${BUILD_PATH}/ModSecurity-nginx-{{ .MODSECURITY_NGINX_VERSION }} \
${BUILD_PATH}/ngx_http_geoip2_module-{{ .GEOIP2_VERSION }} \
${BUILD_PATH}/ngx_brotli

55
distroless-build/melange/opentracing.yaml Normal file
View file

@ -0,0 +1,55 @@
package:
name: opentracing
version: {{ .OPENTRACING_CPP_VERSION }}
epoch: 0
description: "C++ implementation of the OpenTracing API http://opentracing.io"
target-architecture:
- all
copyright:
- paths:
- "*"
license: Apache-2.0 license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/opentracing/opentracing-cpp/archive/{{ .OPENTRACING_CPP_VERSION }}.tar.gz
expected-sha256: {{ .OPENTRACING_CPP_VERSION_SHA }}
strip-components: 1
- name: 'Configure OPENTRACING CPP'
with:
OPENTRACING_CPP_VERSION: {{ .OPENTRACING_CPP_VERSION }}
runs: |
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_TESTING=OFF \
-DBUILD_SHARED_LIBS=OFF \
-DBUILD_MOCKTRACER=OFF \
-DBUILD_STATIC_LIBS=ON \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
.
- uses: autoconf/make
- uses: autoconf/make-install

57
distroless-build/melange/ssdeep.yaml Normal file
View file

@ -0,0 +1,57 @@
package:
name: ssdeep
version: 2.14.1
epoch: 0
description: "Fuzzy hashing API and fuzzy hashing tool"
target-architecture:
- all
copyright:
- paths:
- "*"
license: GPL-2.0 license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
- autoconf
- automake
- pkgconf
- make
- automake
- libtool
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/ssdeep-project/ssdeep/archive/refs/tags/release-2.14.1.tar.gz
expected-sha256: d96f667a8427ad96da197884574c7ca8c7518a37d9ac8593b6ea77e7945720a4
strip-components: 1
- name: 'Configure SSDEEP'
with:
YAML_CPP_VERSION: {{ .YAML_CPP_VERSION }}
runs: |
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: ssdeep ::::"
echo "::::::::::::::::::::::::::::::::::::::"
./bootstrap
./configure
- uses: autoconf/make
- uses: autoconf/make-install

59
distroless-build/melange/wait-shutdown.yaml Normal file
View file

@ -0,0 +1,59 @@
package:
name: waitshutdown
version: {{ .INGRESS_NGINX_VERSION }}
epoch: 0
description: "waitshutdown is a tool for terminating ingress controller nginx instance"
target-architecture:
- all
copyright:
- paths:
- "*"
attestation: TODO
license: Apache-2.0
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
packages:
- alpine-baselayout-data
- ca-certificates-bundle
- tree
- go
- bash
- curl
- ca-certificates-bundle
- git
- openssh-client
- make
- gcc
- busybox
- build-base
pipeline:
- uses: git-checkout
with:
repository: https://github.com/kubernetes/ingress-nginx
tag: ${{package.version}}
- name: Build ingress-nginx controller from source
with:
PKG: {{ .PKG }}
TAG: {{ .TAG }}
COMMIT_SHA: {{ .COMMIT_SHA }}
REPO_INFO: {{ .REPO_INFO }}
runs: |
set -o errexit
set -o nounset
set -o pipefail
mkdir -p ${{targets.destdir}}
go build -v \
-trimpath -ldflags="-buildid= -w -s \
-X {{ .PKG }}/version.RELEASE={{ .TAG }} \
-X {{ .PKG }}/version.COMMIT={{ .COMMIT_SHA }} \
-X {{ .PKG }}/version.REPO={{ .REPO_INFO }}" \
-o "${{targets.destdir}}/wait-shutdown" {{ .PKG }}/cmd/waitshutdown

57
distroless-build/melange/yaml.yaml Normal file
View file

@ -0,0 +1,57 @@
package:
name: yaml-cpp
version: {{ .YAML_CPP_VERSION }}
epoch: 0
description: "yaml-cpp is a YAML parser and emitter in C++ matching the YAML 1.2 spec."
target-architecture:
- all
copyright:
- paths:
- "*"
license: MIT
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
-
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/jbeder/yaml-cpp/archive/{{ .YAML_CPP_VERSION }}.tar.gz
expected-sha256: {{ .YAML_CPP_VERSION_SHA }}
strip-components: 1
- name: 'Configure YAML_CPP'
with:
YAML_CPP_VERSION: {{ .YAML_CPP_VERSION }}
runs: |
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: yaml-cpp-{{ .YAML_CPP_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
cmake -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
-DYAML_BUILD_SHARED_LIBS=ON \
-DYAML_CPP_BUILD_TESTS=OFF \
-DYAML_CPP_BUILD_TOOLS=OFF .
- uses: autoconf/make
- uses: autoconf/make-install

69
distroless-build/melange/zipkin.yaml Normal file
View file

@ -0,0 +1,69 @@
package:
name: zipkin-cpp
version: {{ .ZIPKIN_CPP_VERSION }}
epoch: 0
description: "OpenTracing implementation for Zipkin in C++."
target-architecture:
- all
copyright:
- paths:
- "*"
license: Apache-2.0 license
dependencies:
runtime:
environment:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- busybox
- build-base
- ssl_client
- ca-certificates-bundle
- cmake
- curl
- curl-dev
- opentracing@local
accounts:
groups:
- groupname: www-data
gid: 10000
users:
- username: www-data
uid: 10000
pipeline:
- uses: fetch
with:
uri: https://github.com/rnburn/zipkin-cpp-opentracing/archive/{{ .ZIPKIN_CPP_VERSION }}.tar.gz
expected-sha256: {{ .ZIPKIN_CPP_VERSION_SHA }}
strip-components: 1
- name: 'Configure ZIPKIN CPP VERSION'
with:
OPENTRACING_CPP_VERSION: {{ .ZIPKIN_CPP_VERSION }}
runs: |
echo "::::::::::::::::::::::::::::::::::::::"
echo ":::: zipkin-cpp-opentracing-{{ .ZIPKIN_CPP_VERSION }} ::::"
echo "::::::::::::::::::::::::::::::::::::::"
cat <<EOF > export.map
{
global:
OpenTracingMakeTracerFactory;
local: *;
};
EOF
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_SHARED_LIBS=OFF \
-DBUILD_PLUGIN=ON \
-DBUILD_TESTING=OFF \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true .
- uses: autoconf/make
- uses: autoconf/make-install