From 39e151710d4e0c7406cbe1241e49197d07e52902 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 27 Sep 2022 18:57:46 -0400 Subject: [PATCH] testing melange Signed-off-by: James Strong --- .github/workflows/melange-nginx.yaml | 208 ++++++ distroless-build/Makefile | 111 +++ distroless-build/apko/ingress.yaml | 184 +++++ distroless-build/apko/nginx.yaml | 176 +++++ distroless-build/kind-deploy.yaml | 656 ++++++++++++++++++ distroless-build/melange/datadog.yaml | 62 ++ distroless-build/melange/dbg.yaml | 58 ++ .../melange/ingress-nginx-controller.yaml | 58 ++ distroless-build/melange/jaeger.yaml | 94 +++ distroless-build/melange/lua-cjson.yaml | 56 ++ .../melange/lua-resty-balancer.yaml | 43 ++ distroless-build/melange/lua-resty-cache.yaml | 42 ++ .../melange/lua-resty-cookie.yaml | 43 ++ distroless-build/melange/lua-resty-core.yaml | 56 ++ distroless-build/melange/lua-resty-dns.yaml | 41 ++ .../melange/lua-resty-global-throttle.yaml | 41 ++ distroless-build/melange/lua-resty-http.yaml | 42 ++ .../melange/lua-resty-ipmatcher.yaml | 61 ++ distroless-build/melange/lua-resty-lock.yaml | 41 ++ .../melange/lua-resty-memcached.yaml | 42 ++ distroless-build/melange/lua-resty-redis.yaml | 41 ++ .../melange/lua-resty-string.yaml | 42 ++ .../melange/lua-resty-upload.yaml | 42 ++ distroless-build/melange/luajit.yaml | 74 ++ distroless-build/melange/mimaloc.yaml | 49 ++ distroless-build/melange/modsecurity.yaml | 88 +++ distroless-build/melange/msgpack.yaml | 58 ++ .../melange/nginx-templates-s390x.json | 77 ++ distroless-build/melange/nginx-templates.json | 82 +++ distroless-build/melange/nginx.yaml | 469 +++++++++++++ distroless-build/melange/opentracing.yaml | 55 ++ distroless-build/melange/ssdeep.yaml | 57 ++ distroless-build/melange/wait-shutdown.yaml | 59 ++ distroless-build/melange/yaml.yaml | 57 ++ distroless-build/melange/zipkin.yaml | 69 ++ 35 files changed, 3434 insertions(+) create mode 100644 .github/workflows/melange-nginx.yaml create mode 100644 distroless-build/Makefile create mode 100644 distroless-build/apko/ingress.yaml create mode 100644 distroless-build/apko/nginx.yaml create mode 100644 distroless-build/kind-deploy.yaml create mode 100644 distroless-build/melange/datadog.yaml create mode 100644 distroless-build/melange/dbg.yaml create mode 100644 distroless-build/melange/ingress-nginx-controller.yaml create mode 100644 distroless-build/melange/jaeger.yaml create mode 100644 distroless-build/melange/lua-cjson.yaml create mode 100644 distroless-build/melange/lua-resty-balancer.yaml create mode 100644 distroless-build/melange/lua-resty-cache.yaml create mode 100644 distroless-build/melange/lua-resty-cookie.yaml create mode 100644 distroless-build/melange/lua-resty-core.yaml create mode 100644 distroless-build/melange/lua-resty-dns.yaml create mode 100644 distroless-build/melange/lua-resty-global-throttle.yaml create mode 100644 distroless-build/melange/lua-resty-http.yaml create mode 100644 distroless-build/melange/lua-resty-ipmatcher.yaml create mode 100644 distroless-build/melange/lua-resty-lock.yaml create mode 100644 distroless-build/melange/lua-resty-memcached.yaml create mode 100644 distroless-build/melange/lua-resty-redis.yaml create mode 100644 distroless-build/melange/lua-resty-string.yaml create mode 100644 distroless-build/melange/lua-resty-upload.yaml create mode 100644 distroless-build/melange/luajit.yaml create mode 100644 distroless-build/melange/mimaloc.yaml create mode 100644 distroless-build/melange/modsecurity.yaml create mode 100644 distroless-build/melange/msgpack.yaml create mode 100644 distroless-build/melange/nginx-templates-s390x.json create mode 100644 distroless-build/melange/nginx-templates.json create mode 100644 distroless-build/melange/nginx.yaml create mode 100644 distroless-build/melange/opentracing.yaml create mode 100644 distroless-build/melange/ssdeep.yaml create mode 100644 distroless-build/melange/wait-shutdown.yaml create mode 100644 distroless-build/melange/yaml.yaml create mode 100644 distroless-build/melange/zipkin.yaml diff --git a/.github/workflows/melange-nginx.yaml b/.github/workflows/melange-nginx.yaml new file mode 100644 index 000000000..08cd04bba --- /dev/null +++ b/.github/workflows/melange-nginx.yaml @@ -0,0 +1,208 @@ +# Adding/removing/modifying supported Nginx version(s)? +# Do a search of this file for the string "versionmod" +# for all the parts of this file which might need changes +# See also "ignored-versions" in version-check.yaml +# TODO: minimize the total number of these + +on: + push: + branches: + - main + - melange + + # If README.md is generated by this job, do not re-run + paths-ignore: + - README.md + +# schedule: +# - cron: '0 0 * * *' + + # Allow manually triggered workflows by maintainers without any + # parameters to trigger a proactive rebuild (e.g. when a new + # ingress.yaml lands) + workflow_dispatch: {} + +name: Create Release + +# Don't run multiple releases concurrently. +concurrency: release + +jobs: + build: + name: Release OCI image + runs-on: ubuntu-latest + + outputs: + # versionmod + image-refs-1-19-10: ${{ steps.emit-refs.outputs.image-refs-1-19-10 }} + + strategy: + matrix: + # versionmod + nginx-version: [1.19.10] + include: + - nginx-version: 1.19.10 + sha256: e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88 + + # https://docs.github.com/en/actions/reference/authentication-in-a-workflow + permissions: + id-token: write + packages: write + contents: read + + steps: + - uses: actions/checkout@v3 + - uses: sigstore/cosign-installer@main + + - name: Setup QEMU + uses: docker/setup-qemu-action@v2.0.0 + + - name: Melange build + id: melange + run: | + cd images/nginx + make melange + make index + +# - id: ingress.yaml +# uses: distroless/actions/ingress.yaml-snapshot@main +# with: +# config: ingress.yaml.yaml +# base-tag: ghcr.io/${{ github.repository }} +# keyring-append: /github/workspace/melange.rsa.pub +# archs: x86_64,aarch64,armv7 +# additional-tags: ${{ matrix.nginx-version }} +# image_refs: ingress.yaml.images +# +# - name: Emit Image Refs output +# id: emit-refs +# run: | +# # versionmod +# versions="1.19.10" +# echo "cat ingress.yaml.images | sed 's/\\$/\n/g' | grep -v '^\$' | jq -R -s -c 'split(\"\n\")[:-1]'" > refs-to-json.sh && chmod +x refs-to-json.sh +# trap "rm -f refs-to-json.sh" EXIT +# for version in ${versions//,/ }; do +# if [[ "${version}" == "${{ matrix.nginx-version }}" ]]; then +# key=image-refs-$(echo ${version} | sed 's|\.|-|g') +# value=$(./refs-to-json.sh | sed 's|"|\\"|g') +# echo ::set-output name=${key}::${value} +# break +# fi +# done +# +# - name: Smoke Test +# run: | +# IMAGE_NAME=$(docker load < output.tar | grep "Loaded image" | sed 's/^Loaded image: //') +# IMAGE_NAME=$IMAGE_NAME ./test.sh +# +# - name: Additional tags +# uses: distroless/actions/tag@main +# with: +# distroless_image: ghcr.io/${{ github.repository }}:${{ matrix.nginx-version }} +# docker_image_tag: ${{ matrix.nginx-version }} +# docker_image: "nginx" +# +# - if: ${{ failure() }} +# name: Setup debug upterm session +# uses: lhotari/action-upterm@v1 +# +# # Merge the JSON lists of images published in the build job into a single output +# collect-image-refs: +# name: Collect image refs +# needs: build +# runs-on: ubuntu-latest +# outputs: +# image-refs: ${{ steps.combine.outputs.image-refs }} +# steps: +# - name: Combine image refs across all versions +# id: combine +# run: | +# rm -f image-refs-*.json +# +# # versionmod +# echo "${{ needs.build.outputs.image-refs-1-19-1 }}" > image-refs-1-19-1.json +# +# jq -c -s '.[]=([.[]]|flatten)|.[0]' image-refs-*.json > image-refs-combined.json +# echo "Combined image refs:" +# echo "---------------------------" +# cat image-refs-combined.json +# echo "---------------------------" +# +# echo ::set-output name=image-refs::$(cat image-refs-combined.json) +# rm -f image-refs-*.json +# +# scan: +# name: Scan ingress.yaml images +# needs: collect-image-refs +# runs-on: ubuntu-latest +# +# # https://docs.github.com/en/actions/reference/authentication-in-a-workflow +# permissions: +# id-token: write +# packages: write +# contents: read +# +# strategy: +# matrix: +# ref: ${{ fromJson(needs.collect-image-refs.outputs.image-refs) }} +# steps: +# - run: | +# echo ${{ matrix.ref }} + +# - uses: distroless/actions/vul-scans@main +# id: scans +# with: +# registry: ghcr.io +# username: ${{ github.actor }} +# password: ${{ github.token }} +# image: ${{ matrix.ref }} +# RUN_SNYK: "false" +# RUN_GRYPE: "false" +# DOCKER_LOGIN: 'true' + +# - name: Image Vulnerability scan output +# shell: bash +# env: +# SNYK_COUNT: ${{ steps.scans.outputs.SNYK_COUNT }} +# GRYPE_COUNT: ${{ steps.scans.outputs.GRYPE_COUNT }} +# TRIVY_COUNT: ${{ steps.scans.outputs.TRIVY_COUNT }} +# run: | +# echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY +# echo "Image ID: ${{ matrix.ref }}" >> $GITHUB_STEP_SUMMARY +# echo "" >> $GITHUB_STEP_SUMMARY +# echo "Snyk Count: $SNYK_COUNT" >> $GITHUB_STEP_SUMMARY +# echo "Grype Count: $GRYPE_COUNT" >> $GITHUB_STEP_SUMMARY +# echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY + +# generate-readme: +# name: Generate README +# needs: scan +# runs-on: ubuntu-latest +# permissions: +# id-token: write # Enable OIDC +# contents: write +# steps: +# - name: Checkout source +# uses: actions/checkout@v3 +# - name: Generate README +# uses: distroless/readme-generator@main +# with: +# repo: https://github.com/distroless/nginx +# name: nginx +# location: distroless.dev/nginx +# description: "A minimal nginx base image rebuilt every night from source." +# exclude-tags: 1.20.2-r0,1.20.2,1.20,1.23.0 +# output-path: README-GENERATED.md +# - name: Push new README back to the repo +# run: | +# set -x +# if [[ "$(diff README-GENERATED.md README.md)" == "" ]]; then +# echo "No diff detected in README. Skipping." +# exit 0 +# fi +# git config user.name "Automated" +# git config user.email "actions@users.noreply.github.com" +# mv README-GENERATED.md README.md +# git add README.md +# git commit -m "Regenerate README.md" || exit 0 +# git push diff --git a/distroless-build/Makefile b/distroless-build/Makefile new file mode 100644 index 000000000..796ae4d87 --- /dev/null +++ b/distroless-build/Makefile @@ -0,0 +1,111 @@ +# Copyright 2022 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.DEFAULT_GOAL:=melange + +# set default shell +SHELL=/bin/bash -o pipefail -o errexit + +DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) + +# 0.0.0 shouldn't clobber any released builds +TAG ?= 0.0 +REGISTRY ?= gcr.io/k8s-staging-ingress-nginx + +IMAGE ?= $(REGISTRY)/controller + +ARCH := $(shell uname -m) +MELANGE_DIR ?= melange +APKO_DIR ?= apko +MELANGE ?= docker run --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest +MELANGE ?= docker run -d --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest +APKO ?= docker run --rm -v "${PWD}":/work distroless.dev/apko:latest +KEY ?= melange.rsa +REPO ?= packages +TEMPLATE ?= melange/nginx-templates.json +MELANGE_OPTS ?= --empty-workspace -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} +KEY ?= melange.rsa +REPO ?= $(shell pwd)/packages +ARCHS?="amd64,arm64,arm/v6,arm/v7,s390x" + +define build-package + docker run $(2) --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest build ${MELANGE_DIR}/$(1).yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})' +endef + +keygen: ## Generate Key pair for use with signing apks + docker run --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest keygen + +melange: ## Build melange $FILE + ${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})' + +apko-build: ## Build an apko pipeline with $KEY and $FILE + ${APKO} build -k ${KEY}.pub --debug ${APKO_DIR}/${FILE}.yaml $(IMAGE):$(TAG) $(IMAGE)-$(TAG).tar + +apko-push: ## Push apko built conatiner $IMAGE:$TAG to $REGISTRY + ${APKO} publish -k ${KEY}.pub --debug ${APKO_DIR}/${FILE}.yaml $(IMAGE):$(TAG) + +load: ## Load apko built image into docker + docker load < $(IMAGE)-$(TAG).tar + docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) + docker push $(REGISTRY)/$(IMAGE):$(TAG) + +build-all: clean-packages all-packages nginx-package ingress-packages ## Fresh build of all melange pipelines and apko files, default is all $ARCHS + +nginx-test: ## Start $IMAGE:$TAG container and drop into bash shell + docker run --rm -it --entrypoint bash --env-file .env $(IMAGE):$(TAG) + +shell: ## Start Alpine base container, mount PWD and drop into sh + docker run -it --rm -v "${PWD}":/work --entrypoint sh distroless.dev/alpine-base:latest + +check_clean: + @echo -n "Are you sure? [y/N] " && read ans && [ $${ans:-N} = y ] + +clean-packages: check_clean ## Deletes /packages directory, this will take 4 hours to rebuild, are you sure? + echo "deleting everything" + rm -rf packages/ && mkdir -p packages/ + +# order matters here, jaeger needs yaml etc +all-packages: + $(call build-package,mimaloc,"-d") + $(call build-package,ssdeep,"-d") + $(call build-package,opentracing,) + $(call build-package,msgpack,) + $(call build-package,datadog,) + $(call build-package,yaml,) + $(call build-package,zipkin,) + $(call build-package,jaeger,) + $(call build-package,luajit,) + $(call build-package,lua-resty-core,) + $(call build-package,modsecurity,) + $(call build-package,lua-resty-upload,"-d") + $(call build-package,lua-resty-string,"-d") + $(call build-package,lua-resty-redis,"-d") + $(call build-package,lua-resty-memcached,"-d") + $(call build-package,lua-resty-lock,"-d") + $(call build-package,lua-resty-ipmatcher,"-d") + $(call build-package,lua-resty-http,"-d") + $(call build-package,lua-resty-global-throttle,"-d") + $(call build-package,lua-resty-dns,"-d") + $(call build-package,lua-resty-cookie,"-d") + $(call build-package,lua-resty-cache,"-d") + $(call build-package,lua-resty-balancer,"-d") + $(call build-package,lua-cjson,"-d") + +nginx-package: + $(call build-package,nginx) + +ingress-packages: + $(call build-package,ingress-nginx-controller) + $(call build-package,dbg) + $(call build-package,wait-shutdown) diff --git a/distroless-build/apko/ingress.yaml b/distroless-build/apko/ingress.yaml new file mode 100644 index 000000000..81a6fc825 --- /dev/null +++ b/distroless-build/apko/ingress.yaml @@ -0,0 +1,184 @@ +include: apko/nginx.yaml + +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - dbg@local + - waitshutdown@local + - ingress-nginx@local + - dumb-init + +accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + run-as: 10000 + +environments: + PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin" + LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" + LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" + LUA_INCLUDE_DIR: "/usr/local/include/luajit-2.1" + LUAJIT_LIB: "/usr/local/lib" + +work-dir: /etc/nginx + +entrypoint: + command: "/usr/bin/dumb-init --" + +cmd: /nginx-ingress-controller + +paths: + - path: /var/log/nginx/error.log + type: symlink + source: /dev/stderr + permissions: 0o755 + - path: /var/log/nginx/access.log + type: symlink + source: /dev/stdout + permissions: 0o755 + recursive: true + - path: /usr/bin/nginx + type: hardlink + source: /usr/local/nginx/sbin/nginx + permissions: 0o755 + recursive: true + - path: /usr/local/ + type: directory + permissions: 0o755 + uid: 10000 + gid: 10000 + recursive: true + - path: /usr/include/lua5.1 + type: directory + permissions: 0o755 + uid: 10000 + gid: 10000 + recursive: true + - path: /usr/local/bin/lua + type: hardlink + source: /usr/local/bin/luajit + permissions: 0o755 + - path: /sbin/nginx + type: hardlink + source: /usr/local/nginx/sbin/nginx + permissions: 0o755 + - path: /var/lib/ + type: directory + permissions: 0o755 + uid: 10000 + gid: 10000 + recursive: true + - path: /var/log/nginx/ + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /var/lib/nginx/ + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /var/lib/nginx/body + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /usr/local/nginx + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /run/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /run/nginx.pid + uid: 10000 + gid: 10000 + type: empty-file + permissions: 0o755 + recursive: true + - path: /etc/nginx/modules + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /etc/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /usr/local/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /opt/modsecurity/var/log + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /opt/modsecurity/var/upload + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /opt/modsecurity/var/audit + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /var/log + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /etc/ingress-controller + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /tmp/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /var/log/nginx/ + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /var/log/audit + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true +archs: + - amd64 + - aarch64 + - armv7 diff --git a/distroless-build/apko/nginx.yaml b/distroless-build/apko/nginx.yaml new file mode 100644 index 000000000..7a928f61e --- /dev/null +++ b/distroless-build/apko/nginx.yaml @@ -0,0 +1,176 @@ +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - '@local /work/packages' + packages: + - alpine-baselayout-data + - geoip-dev + - nginx@local + - opentracing@local + - msgpack-cpp@local + - datadog-cpp@local + - yaml-cpp@local + - zipkin-cpp@local + - modsecurity@local + - luaresty-balancer@local + - luacjson@local + - luajit@local + - lua-resty-cache@local + - lua-resty-cookie@local + - lua-resty-dns@local + - lua-resty-core@local + - lua-resty-global-throttle@local + - lua-resty-ipmatcher@local + - lua-resty-lock@local + - lua-resty-redis@local + - lua-resty-string@local + - lua-resty-upload@local +accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + run-as: 10000 + +environments: + PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin" + LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" + LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" + LUA_INCLUDE_DIR: "/usr/local/include/luajit-2.1" + LUAJIT_LIB: "/usr/local/lib" +paths: + - path: /usr/local/ + type: directory + permissions: 0o755 + uid: 10000 + gid: 10000 + recursive: true + - path: /usr/include/lua5.1 + type: directory + permissions: 0o755 + uid: 10000 + gid: 10000 + recursive: true + - path: /usr/local/bin/lua + type: hardlink + source: /usr/local/bin/luajit + permissions: 0o755 + - path: /sbin/nginx + type: hardlink + source: /usr/local/nginx/sbin/nginx + permissions: 0o755 + - path: /var/lib/ + type: directory + permissions: 0o755 + uid: 10000 + gid: 10000 + recursive: true + - path: /var/log/nginx/ + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /var/lib/nginx/ + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /var/lib/nginx/body + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /usr/local/nginx + type: directory + uid: 10000 + gid: 10000 + permissions: 0o755 + recursive: true + - path: /run/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /run/nginx.pid + uid: 10000 + gid: 10000 + type: empty-file + permissions: 0o755 + recursive: true + - path: /etc/nginx/modules + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /etc/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /usr/local/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /opt/modsecurity/var/log + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /opt/modsecurity/var/upload + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /opt/modsecurity/var/audit + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /var/log + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /etc/ingress-controller + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /tmp/nginx + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /var/log/nginx/ + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + - path: /var/log/audit + uid: 10000 + gid: 10000 + type: directory + permissions: 0o755 + recursive: true + +archs: + - amd64 + - aarch64 + - armv7 diff --git a/distroless-build/kind-deploy.yaml b/distroless-build/kind-deploy.yaml new file mode 100644 index 000000000..f63d56a68 --- /dev/null +++ b/distroless-build/kind-deploy.yaml @@ -0,0 +1,656 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - coordination.k8s.io + resourceNames: + - ingress-controller-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + spec: + containers: + - args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + - --watch-ingress-without-class=true + - --publish-status-address=localhost + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: localhost:5000/ingress:5005 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 443 + hostPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + ingress-ready: "true" + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 0 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Equal + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Equal + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission-create + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission-create + spec: + containers: + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission-patch + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.3.1 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/distroless-build/melange/datadog.yaml b/distroless-build/melange/datadog.yaml new file mode 100644 index 000000000..85a1b4e76 --- /dev/null +++ b/distroless-build/melange/datadog.yaml @@ -0,0 +1,62 @@ +package: + name: datadog-cpp + version: {{ .DATADOG_CPP_VERSION }} + epoch: 0 + description: "Datadog OpenTracing C++ Client" + target-architecture: + - all + copyright: + - paths: + - "*" + license: Apache-2.0 license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + - curl + - curl-dev + - opentracing@local + - msgpack-cpp@local + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/DataDog/dd-opentracing-cpp/archive/v{{ .DATADOG_CPP_VERSION }}.tar.gz + expected-sha256: {{ .DATADOG_CPP_VERSION_SHA }} + strip-components: 1 + - name: 'Configure DATADOG_CPP' + with: + DATADOG_CPP_VERSION: {{ .DATADOG_CPP_VERSION }} + runs: | + + # build datadog lib + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: dd-opentracing-cpp-{{ .DATADOG_CPP_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + cmake -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_TESTING=OFF \ + -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true . + + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/dbg.yaml b/distroless-build/melange/dbg.yaml new file mode 100644 index 000000000..2ea2360cb --- /dev/null +++ b/distroless-build/melange/dbg.yaml @@ -0,0 +1,58 @@ +package: + name: dbg + version: {{ .INGRESS_NGINX_VERSION }} + epoch: 0 + description: "dbg is a tool for quickly inspecting the state of the nginx instance" + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: Apache-2.0 + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - ca-certificates-bundle + - tree + - go + - bash + - curl + - ca-certificates-bundle + - git + - openssh-client + - make + - gcc + - busybox + - build-base +pipeline: + - uses: git-checkout + with: + repository: https://github.com/kubernetes/ingress-nginx + tag: ${{package.version}} + - name: Build ingress-nginx controller from source + with: + PKG: {{ .PKG }} + TAG: {{ .TAG }} + COMMIT_SHA: {{ .COMMIT_SHA }} + REPO_INFO: {{ .REPO_INFO }} + runs: | + set -o errexit + set -o nounset + set -o pipefail + + mkdir -p ${{targets.destdir}} + + go build -v \ + -trimpath -ldflags="-buildid= -w -s \ + -X {{ .PKG }}/version.RELEASE={{ .TAG }} \ + -X {{ .PKG }}/version.COMMIT={{ .COMMIT_SHA }} \ + -X {{ .PKG }}/version.REPO={{ .REPO_INFO }}" \ + -o "${{targets.destdir}}/dbg" {{ .PKG }}/cmd/dbg diff --git a/distroless-build/melange/ingress-nginx-controller.yaml b/distroless-build/melange/ingress-nginx-controller.yaml new file mode 100644 index 000000000..ab14fb49e --- /dev/null +++ b/distroless-build/melange/ingress-nginx-controller.yaml @@ -0,0 +1,58 @@ +package: + name: ingress-nginx + version: {{ .INGRESS_NGINX_VERSION }} + epoch: 0 + description: "Ingress-NGINX Controller for Kubernetes" + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: Apache-2.0 + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - ca-certificates-bundle + - tree + - go + - bash + - curl + - ca-certificates-bundle + - git + - openssh-client + - make +pipeline: + - uses: git-checkout + with: + repository: https://github.com/kubernetes/ingress-nginx + tag: ${{package.version}} + - name: Build ingress-nginx controller from source + with: + PKG: {{ .PKG }} + TAG: {{ .TAG }} + COMMIT_SHA: {{ .COMMIT_SHA }} + REPO_INFO: {{ .REPO_INFO }} + runs: | + set -o errexit + set -o nounset + set -o pipefail + + mkdir -p ${{targets.destdir}} + + export CGO_ENABLED=0 + + go build -v \ + -trimpath -ldflags="-buildid= -w -s \ + -X {{ .PKG }}/version.RELEASE={{ .TAG }} \ + -X {{ .PKG }}/version.COMMIT={{ .COMMIT_SHA }} \ + -X {{ .PKG }}/version.REPO={{ .REPO_INFO }}" \ + -o "${{targets.destdir}}/nginx-ingress-controller" {{ .PKG }}/cmd/nginx diff --git a/distroless-build/melange/jaeger.yaml b/distroless-build/melange/jaeger.yaml new file mode 100644 index 000000000..5d90ea40b --- /dev/null +++ b/distroless-build/melange/jaeger.yaml @@ -0,0 +1,94 @@ +package: + name: jaeger-cpp + version: {{ .JAEGER_VERSION }} + epoch: 0 + description: "Jaeger SDK with OpenTracing API for C++ binding." + target-architecture: + - all + copyright: + - paths: + - "*" + license: MIT license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + - yaml-cpp@local + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/jaegertracing/jaeger-client-cpp/archive/v{{ .JAEGER_VERSION }}.tar.gz + expected-sha256: {{ .JAEGER_VERSION_SHA }} + strip-components: 1 + - name: 'Configure ' + with: + JAEGER_VERSION: {{ .JAEGER_VERSION }} + runs: | + + set -o errexit + set -o nounset + set -o pipefail + + echo "Arch: $(uname -m)" + + + ARCH=$(uname -m) + CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + + mkdir -p ${{targets.destdir}}/etc/nginx + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: jaeger-client-cpp-{{ .JAEGER_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + # build jaeger lib + sed -i 's/-Werror/-Wno-psabi/' CMakeLists.txt + # use the above built yaml-cpp instead until a new version of jaeger-client-cpp fixes the yaml-cpp issue + # tl;dr new hunter is needed for new yaml-cpp, but new hunter has a conflict with old Thrift and new Boost + sed -i 's/hunter_add_package(yaml-cpp)/#hunter_add_package(yaml-cpp)/' CMakeLists.txt + sed -i 's/yaml-cpp::yaml-cpp/yaml-cpp/' CMakeLists.txt + + cat < export.map + { + global: + OpenTracingMakeTracerFactory; + local: *; + }; + EOF + + cmake -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=${{targets.destdir}} \ + -DBUILD_TESTING=OFF \ + -DJAEGERTRACING_BUILD_EXAMPLES=OFF \ + -DJAEGERTRACING_BUILD_CROSSDOCK=OFF \ + -DJAEGERTRACING_COVERAGE=OFF \ + -DJAEGERTRACING_PLUGIN=ON \ + -DHUNTER_CONFIGURATION_TYPES=Release \ + -DBUILD_SHARED_LIBS=OFF \ + -DJAEGERTRACING_WITH_YAML_CPP=ON \ + -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true . + + - uses: autoconf/make + - uses: autoconf/make-install + - run: | + mv libjaegertracing_plugin.so ${{targets.destdir}}/usr/local/lib/libjaegertracing_plugin.so diff --git a/distroless-build/melange/lua-cjson.yaml b/distroless-build/melange/lua-cjson.yaml new file mode 100644 index 000000000..e1781a192 --- /dev/null +++ b/distroless-build/melange/lua-cjson.yaml @@ -0,0 +1,56 @@ +package: + name: luacjson + version: {{ .LUA_CJSON_VERSION }} + epoch: 0 + description: "Lua CJSON is a fast JSON encoding/parsing module for Lua" + target-architecture: + - all + copyright: + - paths: + - "*" + license: MIT license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - luajit@local + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-cjson/archive/{{ .LUA_CJSON_VERSION }}.tar.gz + expected-sha256: {{ .LUA_CJSON_VERSION_SHA }} + strip-components: 1 + - name: "Configure" + runs: | + export LUAJIT_LIB=/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/local/include/luajit-2.1 + + ln -s /usr/local/bin/luajit /usr/local/bin/lua + ln -s "$LUAJIT_INC" /usr/local/include/lua + + export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 + ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + ls -lah /usr/local/lib + make + make DESTDIR="${{targets.destdir}}" install diff --git a/distroless-build/melange/lua-resty-balancer.yaml b/distroless-build/melange/lua-resty-balancer.yaml new file mode 100644 index 000000000..ca63cd8fc --- /dev/null +++ b/distroless-build/melange/lua-resty-balancer.yaml @@ -0,0 +1,43 @@ +package: + name: luaresty-balancer + version: {{ .LUA_RESTY_BALANCER_VERSION }} + epoch: 0 + description: "A generic consistent hash implementation for OpenResty/Lua" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-balancer/archive/v{{ .LUA_RESTY_BALANCER_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_BALANCER_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-cache.yaml b/distroless-build/melange/lua-resty-cache.yaml new file mode 100644 index 000000000..a3d223d21 --- /dev/null +++ b/distroless-build/melange/lua-resty-cache.yaml @@ -0,0 +1,42 @@ +package: + name: lua-resty-cache + version: {{ .LUA_RESTY_CACHE }} + epoch: 0 + description: "lua-resty-lrucache - Lua-land LRU cache based on the LuaJIT FFI." + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-lrucache/archive/v{{ .LUA_RESTY_CACHE }}.tar.gz + expected-sha256: {{ .LUA_RESTY_CACHE_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-cookie.yaml b/distroless-build/melange/lua-resty-cookie.yaml new file mode 100644 index 000000000..e3796c90d --- /dev/null +++ b/distroless-build/melange/lua-resty-cookie.yaml @@ -0,0 +1,43 @@ +package: + name: lua-resty-cookie + version: {{ .LUA_RESTY_COOKIE_VERSION }} + epoch: 0 + description: "lua-resty-lrucache - Lua-land LRU cache based on the LuaJIT FFI." + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/cloudflare/lua-resty-cookie/archive/{{ .LUA_RESTY_COOKIE_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_COOKIE_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-core.yaml b/distroless-build/melange/lua-resty-core.yaml new file mode 100644 index 000000000..5482f00c3 --- /dev/null +++ b/distroless-build/melange/lua-resty-core.yaml @@ -0,0 +1,56 @@ +package: + name: lua-resty-core + version: {{ .LUA_RESTY_CORE }} + epoch: 0 + description: "lua-resty-core - New FFI-based Lua API for ngx_http_lua_module and/or ngx_stream_lua_module" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - luajit@local + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-core/archive/v{{ .LUA_RESTY_CORE }}.tar.gz + expected-sha256: {{ .LUA_RESTY_CORE_SHA }} + strip-components: 1 + - name: "Configure" + runs: | + export LUAJIT_LIB=/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/local/include/luajit-2.1 + + ln -s /usr/local/bin/luajit /usr/local/bin/lua + ln -s "$LUAJIT_INC" /usr/local/include/lua + + export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 + ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + ls -lah /usr/local/lib + make + make DESTDIR="${{targets.destdir}}" install diff --git a/distroless-build/melange/lua-resty-dns.yaml b/distroless-build/melange/lua-resty-dns.yaml new file mode 100644 index 000000000..1974512b5 --- /dev/null +++ b/distroless-build/melange/lua-resty-dns.yaml @@ -0,0 +1,41 @@ +package: + name: lua-resty-dns + version: {{ .LUA_RESTY_DNS }} + epoch: 0 + description: "lua-resty-lrucache - Lua-land LRU cache based on the LuaJIT FFI." + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-dns/archive/v{{ .LUA_RESTY_DNS }}.tar.gz + expected-sha256: {{ .LUA_RESTY_DNS_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-global-throttle.yaml b/distroless-build/melange/lua-resty-global-throttle.yaml new file mode 100644 index 000000000..f2eb2ea29 --- /dev/null +++ b/distroless-build/melange/lua-resty-global-throttle.yaml @@ -0,0 +1,41 @@ +package: + name: lua-resty-global-throttle + version: {{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION }} + epoch: 0 + description: "lua-resty-dns - Lua DNS resolver for the ngx_lua based on the cosocket API" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/v{{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-http.yaml b/distroless-build/melange/lua-resty-http.yaml new file mode 100644 index 000000000..2a159a91f --- /dev/null +++ b/distroless-build/melange/lua-resty-http.yaml @@ -0,0 +1,42 @@ +package: + name: lua-resty-http + version: {{ .LUA_RESTY_HTTP_VERSION }} + epoch: 0 + description: "Lua HTTP client cosocket driver for OpenResty / ngx_lua." + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/ledgetech/lua-resty-http/archive/{{ .LUA_RESTY_HTTP_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_HTTP_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-ipmatcher.yaml b/distroless-build/melange/lua-resty-ipmatcher.yaml new file mode 100644 index 000000000..fda78a76a --- /dev/null +++ b/distroless-build/melange/lua-resty-ipmatcher.yaml @@ -0,0 +1,61 @@ +package: + name: lua-resty-ipmatcher + version: {{ .LUA_RESTY_IPMATCHER_VERSION }} + epoch: 0 + description: "High-performance match IP address for Nginx + Lua" + target-architecture: + - all + copyright: + - paths: + - "*" + license: Apache-2.0 license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - luajit@local + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/api7/lua-resty-ipmatcher/archive/{{ .LUA_RESTY_IPMATCHER_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_IPMATCHER_VERSION_SHA }} + strip-components: 1 + - name: "Configure" + run: | + - name: "Configure" + runs: | + export LUAJIT_LIB=/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/local/include/luajit-2.1 + + ln -s /usr/local/bin/luajit /usr/local/bin/lua + ln -s "$LUAJIT_INC" /usr/local/include/lua + + export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 + ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + ls -lah /usr/local/lib + + #https://github.com/api7/lua-resty-ipmatcher/blob/master/Makefile#L22 + export INST_LUADIR="${{targets.destdir}}" + + make DESTDIR="${{targets.destdir}}" install diff --git a/distroless-build/melange/lua-resty-lock.yaml b/distroless-build/melange/lua-resty-lock.yaml new file mode 100644 index 000000000..802784d35 --- /dev/null +++ b/distroless-build/melange/lua-resty-lock.yaml @@ -0,0 +1,41 @@ +package: + name: lua-resty-lock + version: {{ .LUA_RESTY_LOCK }} + epoch: 0 + description: "Simple nonblocking lock API for ngx_lua based on shared memory dictionaries" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-lock/archive/v{{ .LUA_RESTY_LOCK }}.tar.gz + expected-sha256: {{ .LUA_RESTY_LOCK_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-memcached.yaml b/distroless-build/melange/lua-resty-memcached.yaml new file mode 100644 index 000000000..805ec39d4 --- /dev/null +++ b/distroless-build/melange/lua-resty-memcached.yaml @@ -0,0 +1,42 @@ +package: + name: lua-resty-memcached + version: {{ .LUA_RESTY_MEMCACHED_VERSION }} + epoch: 0 + description: "Lua memcached client driver for the ngx_lua based on the cosocket API" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-memcached/archive/v{{ .LUA_RESTY_MEMCACHED_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_MEMCACHED_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-redis.yaml b/distroless-build/melange/lua-resty-redis.yaml new file mode 100644 index 000000000..9aacc3b2c --- /dev/null +++ b/distroless-build/melange/lua-resty-redis.yaml @@ -0,0 +1,41 @@ +package: + name: lua-resty-redis + version: {{ .LUA_RESTY_REDIS_VERSION }} + epoch: 0 + description: "Lua redis client driver for the ngx_lua based on the cosocket API" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-redis/archive/v{{ .LUA_RESTY_REDIS_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_REDIS_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-string.yaml b/distroless-build/melange/lua-resty-string.yaml new file mode 100644 index 000000000..36156fc24 --- /dev/null +++ b/distroless-build/melange/lua-resty-string.yaml @@ -0,0 +1,42 @@ +package: + name: lua-resty-string + version: {{ .LUA_RESTY_STRING_VERSION }} + epoch: 0 + description: "String utilities and common hash functions for ngx_lua and LuaJIT" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-string/archive/{{ .LUA_RESTY_STRING_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_STRING_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/lua-resty-upload.yaml b/distroless-build/melange/lua-resty-upload.yaml new file mode 100644 index 000000000..02173df48 --- /dev/null +++ b/distroless-build/melange/lua-resty-upload.yaml @@ -0,0 +1,42 @@ +package: + name: lua-resty-upload + version: {{ .LUA_RESTY_UPLOAD_VERSION }} + epoch: 0 + description: "Streaming reader and parser for http file uploading based on ngx_lua cosocket" + target-architecture: + - all + copyright: + - paths: + - "*" + license: BSD license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/lua-resty-upload/archive/v{{ .LUA_RESTY_UPLOAD_VERSION }}.tar.gz + expected-sha256: {{ .LUA_RESTY_UPLOAD_VERSION_SHA }} + strip-components: 1 + - uses: autoconf/make-install diff --git a/distroless-build/melange/luajit.yaml b/distroless-build/melange/luajit.yaml new file mode 100644 index 000000000..af68c2abc --- /dev/null +++ b/distroless-build/melange/luajit.yaml @@ -0,0 +1,74 @@ +package: + name: luajit + version: {{ .LUAJIT_VERSION }} + epoch: 0 + description: "openresty/luajit2 - OpenResty's maintained branch of LuaJIT." + target-architecture: + - all + copyright: + - paths: + - "*" + license: MIT license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/openresty/luajit2/archive/v{{ .LUAJIT_VERSION }}.tar.gz + expected-sha256: {{ .LUAJIT_VERSION_SHA }} + strip-components: 1 + - name: 'Configure LUAJIT' + with: + LUAJIT_VERSION: {{ .LUAJIT_VERSION }} + runs: | + + set -o errexit + set -o nounset + set -o pipefail + + echo "Arch: $(uname -m)" + + + ARCH=$(uname -m) + CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + + mkdir -p ${{targets.destdir}}/etc/nginx + + export MAKEFLAGS=-j${CORES} + export CTEST_BUILD_FLAGS=${MAKEFLAGS} + export HUNTER_JOBS_NUMBER=${CORES} + export HUNTER_USE_CACHE_SERVERS=true + + # Install luajit from openresty fork + export LUAJIT_LIB=${{targets.destdir}}/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=${{targets.destdir}}/usr/local/include/luajit-2.1 + + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: luajit2-{{ .LUAJIT_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + make CCDEBUG=-g + + - uses: autoconf/make-install diff --git a/distroless-build/melange/mimaloc.yaml b/distroless-build/melange/mimaloc.yaml new file mode 100644 index 000000000..a48524987 --- /dev/null +++ b/distroless-build/melange/mimaloc.yaml @@ -0,0 +1,49 @@ +package: + name: mimalloc + version: {{ .MIMALOC_VERSION }} + epoch: 0 + description: "mimalloc is a compact general purpose allocator with excellent performance." + target-architecture: + - all + copyright: + - paths: + - "*" + license: MIT license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/microsoft/mimalloc/archive/refs/tags/v{{ .MIMALOC_VERSION }}.tar.gz + expected-sha256: {{ .MIMALOC_VERSION_SHA }} + strip-components: 1 + - name: 'Configure MIMALOC' + with: + MIMALOC_VERSION: {{ .MIMALOC_VERSION }} + runs: | + ls -lah + cmake . + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/modsecurity.yaml b/distroless-build/melange/modsecurity.yaml new file mode 100644 index 000000000..7a1ac560a --- /dev/null +++ b/distroless-build/melange/modsecurity.yaml @@ -0,0 +1,88 @@ +package: + name: modsecurity + version: {{ .MODSECURITY_LIB_VERSION }} + epoch: 0 + description: "ModSecurity is an open source, cross platform web application firewall (WAF) engine" + target-architecture: + - all + copyright: + - paths: + - "*" + license: Apache-2.0 license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - git + - cmake + - autoconf + - automake + - pkgconf + - make + - automake + - libtool + - curl + - curl-dev + - libxml2 + - pcre + - pcre-dev + - linux-headers + - luajit@local + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: git-checkout + with: + repository: https://github.com/SpiderLabs/ModSecurity + branch: {{ .MODSECURITY_LIB_VERSION }} + - name: 'Configure MODSECURITY' + with: + MODSECURITY_LIB_VERSION: {{ .MODSECURITY_LIB_VERSION }} + runs: | + set -o errexit + set -o nounset + set -o pipefail + # build modsecurity library + + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: modsecurity {{ .MODSECURITY_LIB_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + export LUAJIT_LIB=/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/local/include/luajit-2.1 + + ls -lah + git submodule init + git submodule update + + sh build.sh + + # https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 + sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 + sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 + ./configure \ + --disable-doxygen-doc \ + --disable-doxygen-html \ + --disable-examples + + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/msgpack.yaml b/distroless-build/melange/msgpack.yaml new file mode 100644 index 000000000..fead5840d --- /dev/null +++ b/distroless-build/melange/msgpack.yaml @@ -0,0 +1,58 @@ +package: + name: msgpack-cpp + version: {{ .MSGPACK_VERSION }} + epoch: 0 + description: "msgpack for C/C++." + target-architecture: + - all + copyright: + - paths: + - "*" + license: Boost Software License - Version 1.0 + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/msgpack/msgpack-c/archive/cpp-{{ .MSGPACK_VERSION }}.tar.gz + expected-sha256: {{ .MSGPACK_VERSION_SHA }} + strip-components: 1 + - name: 'Configure MSGPACK' + with: + YAML_CPP_VERSION: {{ .YAML_CPP_VERSION }} + runs: | + # build msgpack lib + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: msgpack-c-cpp-{{ .MSGPACK_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + cmake -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=OFF \ + -DMSGPACK_BUILD_EXAMPLES=OFF \ + -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true . + + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/nginx-templates-s390x.json b/distroless-build/melange/nginx-templates-s390x.json new file mode 100644 index 000000000..72b97db40 --- /dev/null +++ b/distroless-build/melange/nginx-templates-s390x.json @@ -0,0 +1,77 @@ +{ + "NGINX_VERSION": "1.19.10", + "NGINX_SHA": "e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88", + "NDK_VERSION": "0.3.1", + "NDK_VERSION_SHA": "0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85", + "SETMISC_VERSION": "0.32", + "SETMISC_VERSION_SHA": "f1ad2459c4ee6a61771aa84f77871f4bfe42943a4aa4c30c62ba3f981f52c201", + "MORE_HEADERS_VERSION": "0.33", + "MORE_HEADERS_VERSION_SHA": "a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf", + "NGINX_DIGEST_AUTH": "1.0.0", + "NGINX_DIGEST_AUTH_SHA": "f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b", + "NGINX_SUBSTITUTIONS": "b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0", + "NGINX_SUBSTITUTIONS_SHA": "a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f", + "NGINX_OPENTRACING_VERSION": "0.19.0", + "NGINX_OPENTRACING_VERSION_SHA": "6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17", + "OPENTRACING_CPP_VERSION": "f86b33f3d9e7322b1298ba62d5ffa7a9519c4c41", + "OPENTRACING_CPP_VERSION_SHA": "cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea", + "ZIPKIN_CPP_VERSION": "f69593138ff84ca2f6bc115992e18ca3d35f344a", + "ZIPKIN_CPP_VERSION_SHA": "71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270", + "YAML_CPP_VERSION": "yaml-cpp-0.7.0", + "YAML_CPP_VERSION_SHA": "43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3", + "JAEGER_VERSION": "0.7.0", + "JAEGER_VERSION_SHA": "3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994", + "MSGPACK_VERSION": "3.3.0", + "MSGPACK_VERSION_SHA": "754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b", + "DATADOG_CPP_VERSION": "1.3.2", + "DATADOG_CPP_VERSION_SHA": "586f92166018cc27080d34e17c59d68219b85af745edf3cc9fe41403fc9b4ac6", + "MODSECURITY_NGINX_VERSION": "1.0.2", + "MODSECURITY_NGINX_VERSION_SHA": "f8d3ff15520df736c5e20e91d5852ec27e0874566c2afce7dcb979e2298d6980", + "MODSECURITY_LIB_VERSION": "v3.0.5", + "MODSECURITY_LIB_VERSION_SHA": "9498cf687f03dcd68313be2ce5dea7936c3f02e460e74d1075f4beb272473b6e", + "OWASP_MODSECURITY_CRS_VERSION": "v3.3.2", + "LUA_NGX_VERSION": "0.10.15", + "LUA_NGX_VERSION_SHA": "7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2", + "LUA_STREAM_NGX_VERSION": "0.0.7", + "LUA_STREAM_NGX_VERSION_SHA": "99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9", + "LUA_UPSTREAM_VERSION": "8aa93ead98ba2060d4efd594ae33a35d153589bf", + "LUA_UPSTREAM_VERSION_SHA": "a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f", + "LUA_CJSON_VERSION": "4b350c531de3d71008c77ae94e59275b8371b4dc", + "LUA_CJSON_VERSION_SHA": "8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238", + "NGINX_INFLUXDB_VERSION": "5b09391cb7b9a889687c0aa67964c06a2d933e8b", + "NGINX_INFLUXDB_VERSION_SHA": "1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e", + "GEOIP2_VERSION": "a26c6beed77e81553686852dceb6c7fdacc5970d", + "GEOIP2_VERSION_SHA": "4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b", + "NGINX_AJP_VERSION": "a964a0bcc6a9f2bfb82a13752d7794a36319ffac", + "NGINX_AJP_VERSION_SHA": "94d1512bf0e5e6ffa4eca0489db1279d51f45386fffcb8a1d2d9f7fe93518465", + "LUAJIT_VERSION": "9d5750d28478abfdcaefdfdc408f87752a21e431", + "LUAJIT_VERSION_SHA": "266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75", + "LUA_RESTY_BALANCER_VERSION": "0.04", + "LUA_RESTY_BALANCER_VERSION_SHA": "16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5", + "LUA_RESTY_CACHE": "0.11", + "LUA_RESTY_CACHE_SHA": "e810ed124fe788b8e4aac2c8960dda1b9a6f8d0ca94ce162f28d3f4d877df8af", + "LUA_RESTY_CORE": "0.1.17", + "LUA_RESTY_CORE_SHA": "8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4", + "LUA_RESTY_COOKIE_VERSION": "303e32e512defced053a6484bc0745cf9dc0d39e", + "LUA_RESTY_COOKIE_VERSION_SHA": "5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4", + "LUA_RESTY_DNS": "0.22", + "LUA_RESTY_DNS_SHA": "70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0", + "LUA_RESTY_HTTP_VERSION": "0ce55d6d15da140ecc5966fa848204c6fd9074e8", + "LUA_RESTY_HTTP_VERSION_SHA": "9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f", + "LUA_RESTY_LOCK": "0.08", + "LUA_RESTY_LOCK_SHA": "2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2", + "LUA_RESTY_UPLOAD_VERSION": "0.10", + "LUA_RESTY_UPLOAD_VERSION_SHA": "5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd", + "LUA_RESTY_STRING_VERSION": "9ace36f2dde09451c377c839117ade45eb02d460", + "LUA_RESTY_STRING_VERSION_SHA": "462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853", + "LUA_RESTY_MEMCACHED_VERSION": "0.16", + "LUA_RESTY_MEMCACHED_VERSION_SHA": "42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396", + "LUA_RESTY_REDIS_VERSION": "0.29", + "LUA_RESTY_REDIS_VERSION_SHA": "3f602af507aacd1f7aaeddfe7b77627fcde095fe9f115cb9d6ad8de2a52520e1", + "LUA_RESTY_IPMATCHER_VERSION": "211e0d2eb8bbb558b79368f89948a0bafdc23654", + "LUA_RESTY_IPMATCHER_VERSION_SHA": "b8dbd502751140993a852381bcd8e98a402454596bd91838c1e51268d42db261", + "LUA_RESTY_GLOBAL_THROTTLE_VERSION": "0.2.0", + "LUA_RESTY_GLOBAL_THROTTLE_VERSION_SHA": "0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea", + "MIMALOC_VERSION": "1.7.6", + "MIMALOC_VERSION_SHA": "d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da" +} diff --git a/distroless-build/melange/nginx-templates.json b/distroless-build/melange/nginx-templates.json new file mode 100644 index 000000000..1672e5c46 --- /dev/null +++ b/distroless-build/melange/nginx-templates.json @@ -0,0 +1,82 @@ +{ + "INGRESS_NGINX_VERSION": "main", + "PKG": "k8s.io/ingress-nginx", + "TAG": "main", + "COMMIT_SHA": "cee95b50a", + "REPO_INFO": "git@github.com:kubernetes/ingress-nginx.git", + "NGINX_VERSION": "1.19.10", + "NGINX_SHA": "e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88", + "NDK_VERSION": "0.3.1", + "NDK_VERSION_SHA": "0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85", + "SETMISC_VERSION": "0.32", + "SETMISC_VERSION_SHA": "f1ad2459c4ee6a61771aa84f77871f4bfe42943a4aa4c30c62ba3f981f52c201", + "MORE_HEADERS_VERSION": "0.33", + "MORE_HEADERS_VERSION_SHA": "a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf", + "NGINX_DIGEST_AUTH": "1.0.0", + "NGINX_DIGEST_AUTH_SHA": "f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b", + "NGINX_SUBSTITUTIONS": "b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0", + "NGINX_SUBSTITUTIONS_SHA": "a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f", + "NGINX_OPENTRACING_VERSION": "0.19.0", + "NGINX_OPENTRACING_VERSION_SHA": "6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17", + "OPENTRACING_CPP_VERSION": "f86b33f3d9e7322b1298ba62d5ffa7a9519c4c41", + "OPENTRACING_CPP_VERSION_SHA": "cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea", + "ZIPKIN_CPP_VERSION": "f69593138ff84ca2f6bc115992e18ca3d35f344a", + "ZIPKIN_CPP_VERSION_SHA": "71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270", + "YAML_CPP_VERSION": "yaml-cpp-0.7.0", + "YAML_CPP_VERSION_SHA": "43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3", + "JAEGER_VERSION": "0.7.0", + "JAEGER_VERSION_SHA": "3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994", + "MSGPACK_VERSION": "3.3.0", + "MSGPACK_VERSION_SHA": "754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b", + "DATADOG_CPP_VERSION": "1.3.2", + "DATADOG_CPP_VERSION_SHA": "586f92166018cc27080d34e17c59d68219b85af745edf3cc9fe41403fc9b4ac6", + "MODSECURITY_NGINX_VERSION": "1.0.2", + "MODSECURITY_NGINX_VERSION_SHA": "f8d3ff15520df736c5e20e91d5852ec27e0874566c2afce7dcb979e2298d6980", + "MODSECURITY_LIB_VERSION": "v3.0.5", + "MODSECURITY_LIB_VERSION_SHA": "9498cf687f03dcd68313be2ce5dea7936c3f02e460e74d1075f4beb272473b6e", + "OWASP_MODSECURITY_CRS_VERSION": "v3.3.2", + "LUA_NGX_VERSION": "b721656a9127255003b696b42ccc871c7ec18d59", + "LUA_NGX_VERSION_SHA": "085a9fb2bf9c4466977595a5fe5156d76f3a2d9a2a81be3cacaff2021773393e", + "LUA_STREAM_NGX_VERSION": "74f8c8bca5b95cecbf42d4e1a465bc08cd075a9b", + "LUA_STREAM_NGX_VERSION_SHA": "ba38c9f8e4265836ba7f2ac559ddf140693ff2f5ae33ab1e384f51f3992151ab", + "LUA_UPSTREAM_VERSION": "8aa93ead98ba2060d4efd594ae33a35d153589bf", + "LUA_UPSTREAM_VERSION_SHA": "a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f", + "LUA_CJSON_VERSION": "4b350c531de3d71008c77ae94e59275b8371b4dc", + "LUA_CJSON_VERSION_SHA": "8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238", + "NGINX_INFLUXDB_VERSION": "5b09391cb7b9a889687c0aa67964c06a2d933e8b", + "NGINX_INFLUXDB_VERSION_SHA": "1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e", + "GEOIP2_VERSION": "a26c6beed77e81553686852dceb6c7fdacc5970d", + "GEOIP2_VERSION_SHA": "4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b", + "NGINX_AJP_VERSION": "a964a0bcc6a9f2bfb82a13752d7794a36319ffac", + "NGINX_AJP_VERSION_SHA": "94d1512bf0e5e6ffa4eca0489db1279d51f45386fffcb8a1d2d9f7fe93518465", + "LUAJIT_VERSION": "2.1-20210510", + "LUAJIT_VERSION_SHA": "1ee6dad809a5bb22efb45e6dac767f7ce544ad652d353a93d7f26b605f69fe3f", + "LUA_RESTY_BALANCER_VERSION": "0.04", + "LUA_RESTY_BALANCER_VERSION_SHA": "16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5", + "LUA_RESTY_CACHE": "0.11", + "LUA_RESTY_CACHE_SHA": "e810ed124fe788b8e4aac2c8960dda1b9a6f8d0ca94ce162f28d3f4d877df8af", + "LUA_RESTY_CORE": "0.1.22", + "LUA_RESTY_CORE_SHA": "4d971f711fad48c097070457c128ca36053835d8a3ba25a937e9991547d55d4d", + "LUA_RESTY_COOKIE_VERSION": "303e32e512defced053a6484bc0745cf9dc0d39e", + "LUA_RESTY_COOKIE_VERSION_SHA": "5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4", + "LUA_RESTY_DNS": "0.22", + "LUA_RESTY_DNS_SHA": "70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0", + "LUA_RESTY_HTTP_VERSION": "0ce55d6d15da140ecc5966fa848204c6fd9074e8", + "LUA_RESTY_HTTP_VERSION_SHA": "9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f", + "LUA_RESTY_LOCK": "0.08", + "LUA_RESTY_LOCK_SHA": "2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2", + "LUA_RESTY_UPLOAD_VERSION": "0.10", + "LUA_RESTY_UPLOAD_VERSION_SHA": "5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd", + "LUA_RESTY_STRING_VERSION": "9ace36f2dde09451c377c839117ade45eb02d460", + "LUA_RESTY_STRING_VERSION_SHA": "462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853", + "LUA_RESTY_MEMCACHED_VERSION": "0.16", + "LUA_RESTY_MEMCACHED_VERSION_SHA": "42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396", + "LUA_RESTY_REDIS_VERSION": "0.29", + "LUA_RESTY_REDIS_VERSION_SHA": "3f602af507aacd1f7aaeddfe7b77627fcde095fe9f115cb9d6ad8de2a52520e1", + "LUA_RESTY_IPMATCHER_VERSION": "211e0d2eb8bbb558b79368f89948a0bafdc23654", + "LUA_RESTY_IPMATCHER_VERSION_SHA": "b8dbd502751140993a852381bcd8e98a402454596bd91838c1e51268d42db261", + "LUA_RESTY_GLOBAL_THROTTLE_VERSION": "0.2.0", + "LUA_RESTY_GLOBAL_THROTTLE_VERSION_SHA": "0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea", + "MIMALOC_VERSION": "1.7.6", + "MIMALOC_VERSION_SHA": "d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da" +} diff --git a/distroless-build/melange/nginx.yaml b/distroless-build/melange/nginx.yaml new file mode 100644 index 000000000..88f33bacb --- /dev/null +++ b/distroless-build/melange/nginx.yaml @@ -0,0 +1,469 @@ +package: + name: nginx + version: {{ .NGINX_VERSION }} + epoch: 0 + description: "the nginx webserver built for ingress-nginx" + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: BSD-2-Clause + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - scanelf + - ssl_client + - ca-certificates-bundle + - brotli-dev + - gd-dev + - geoip-dev + - libmaxminddb-dev + - libxml2-dev + - libxslt-dev + - linux-headers + - pcre-dev + - pkgconf + - zeromq-dev + - zlib-dev + - bash + - gcc + - clang + - libc-dev + - make + - automake + - openssl-dev + - pcre-dev + - zlib-dev + - linux-headers + - libxslt-dev + - gd-dev + - geoip-dev + - perl-dev + - libedit-dev + - mercurial + - alpine-sdk + - findutils + - curl + - ca-certificates + - patch + - libaio-dev + - openssl + - cmake + - util-linux + - lmdb-tools + - wget + - curl-dev + - libprotobuf + - git + - g++ + - flex + - bison + - doxygen + - yajl-dev + - lmdb-dev + - libtool + - autoconf + - libxml2 + - libxml2-dev + - python3 + - libmaxminddb-dev + - bc + - unzip + - dos2unix + - libcrypto1.1 + - libcrypto3 + - libsrt + - opentracing@local + - msgpack-cpp@local + - datadog-cpp@local + - yaml-cpp@local + - zipkin-cpp@local + - modsecurity@local + - luajit@local + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/SpiderLabs/ModSecurity-nginx/archive/v{{ .MODSECURITY_NGINX_VERSION }}.tar.gz + expected-sha256: {{ .MODSECURITY_NGINX_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/simpl/ngx_devel_kit/archive/v{{ .NDK_VERSION }}.tar.gz + expected-sha256: {{ .NDK_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/openresty/set-misc-nginx-module/archive/v{{.SETMISC_VERSION}}.tar.gz + expected-sha256: {{.SETMISC_VERSION_SHA}} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/openresty/headers-more-nginx-module/archive/v{{ .MORE_HEADERS_VERSION }}.tar.gz + expected-sha256: {{ .MORE_HEADERS_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/atomx/nginx-http-auth-digest/archive/v{{.NGINX_DIGEST_AUTH}}.tar.gz + expected-sha256: {{ .NGINX_DIGEST_AUTH_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/{{.NGINX_SUBSTITUTIONS}}.tar.gz + expected-sha256: {{ .NGINX_SUBSTITUTIONS_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/opentracing-contrib/nginx-opentracing/archive/v{{ .NGINX_OPENTRACING_VERSION }}.tar.gz + expected-sha256: {{ .NGINX_OPENTRACING_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/openresty/lua-nginx-module/archive/{{ .LUA_NGX_VERSION }}.tar.gz + expected-sha256: {{ .LUA_NGX_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/openresty/stream-lua-nginx-module/archive/{{ .LUA_STREAM_NGX_VERSION }}.tar.gz + expected-sha256: {{ .LUA_STREAM_NGX_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/openresty/lua-upstream-nginx-module/archive/{{ .LUA_UPSTREAM_VERSION }}.tar.gz + expected-sha256: {{ .LUA_UPSTREAM_VERSION_SHA }} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/influxdata/nginx-influxdb-module/archive/{{ .NGINX_INFLUXDB_VERSION }}.tar.gz + expected-sha256: {{ .NGINX_INFLUXDB_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/leev/ngx_http_geoip2_module/archive/{{ .GEOIP2_VERSION }}.tar.gz + expected-sha256: {{ .GEOIP2_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://github.com/yaoweibin/nginx_ajp_module/archive/{{ .NGINX_AJP_VERSION }}.tar.gz + expected-sha256: {{ .NGINX_AJP_VERSION_SHA }} + strip-components: 0 + - uses: fetch + with: + uri: https://nginx.org/download/${{package.name}}-${{package.version}}.tar.gz + expected-sha256: {{ .NGINX_SHA }} + strip-components: 0 + - name: 'Configure nginx' + with: + NGINX_VERSION: {{ .NGINX_VERSION }} + NDK_VERSION: {{ .NDK_VERSION }} + SETMISC_VERSION: {{ .SETMISC_VERSION}} + MORE_HEADERS_VERSION: {{ .MORE_HEADERS_VERSION }} + NGINX_DIGEST_AUTH: {{ .NGINX_DIGEST_AUTH }} + NGINX_SUBSTITUTIONS: {{ .NGINX_SUBSTITUTIONS }} + NGINX_OPENTRACING_VERSION: {{ .NGINX_OPENTRACING_VERSION }} + DATADOG_CPP_VERSION: {{ .DATADOG_CPP_VERSION }} + MODSECURITY_NGINX_VERSION: {{ .MODSECURITY_NGINX_VERSION }} + MODSECURITY_LIB_VERSION: {{ .MODSECURITY_LIB_VERSION }} + OWASP_MODSECURITY_CRS_VERSION: {{ .OWASP_MODSECURITY_CRS_VERSION }} + LUA_NGX_VERSION: {{ .LUA_NGX_VERSION }} + LUA_STREAM_NGX_VERSION: {{ .LUA_STREAM_NGX_VERSION }} + LUA_UPSTREAM_VERSION: {{ .LUA_UPSTREAM_VERSION }} + LUA_CJSON_VERSION: {{ .LUA_CJSON_VERSION }} + NGINX_INFLUXDB_VERSION: {{ .NGINX_INFLUXDB_VERSION }} + GEOIP2_VERSION: {{ .GEOIP2_VERSION }} + NGINX_AJP_VERSION: {{ .NGINX_AJP_VERSION }} + LUAJIT_VERSION: {{ .LUAJIT_VERSION }} + LUA_RESTY_CACHE: {{ .LUA_RESTY_CACHE }} + LUA_RESTY_CORE: {{ .LUA_RESTY_CORE }} + LUA_RESTY_COOKIE_VERSION: {{ .LUA_RESTY_COOKIE_VERSION }} + LUA_RESTY_DNS: {{ .LUA_RESTY_DNS }} + LUA_RESTY_HTTP_VERSION: {{ .LUA_RESTY_HTTP_VERSION }} + LUA_RESTY_LOCK: {{ .LUA_RESTY_LOCK }} + LUA_RESTY_UPLOAD_VERSION: {{ .LUA_RESTY_UPLOAD_VERSION }} + LUA_RESTY_STRING_VERSION: {{ .LUA_RESTY_STRING_VERSION }} + LUA_RESTY_MEMCACHED_VERSION: {{ .LUA_RESTY_MEMCACHED_VERSION }} + LUA_RESTY_REDIS_VERSION: {{ .LUA_RESTY_REDIS_VERSION }} + LUA_RESTY_IPMATCHER_VERSION: {{ .LUA_RESTY_IPMATCHER_VERSION }} + LUA_RESTY_GLOBAL_THROTTLE_VERSION: {{ .LUA_RESTY_GLOBAL_THROTTLE_VERSION }} + MIMALOC_VERSION: {{ .MIMALOC_VERSION }} + runs: | + set -o errexit + set -o nounset + set -o pipefail + + export BUILD_PATH="${PWD}" + echo "BUILD_PATH $BUILD_PATH" + echo "Arch: $(uname -m)" + + export HUNTER_INSTALL_DIR=$(cat _3rdParty/Hunter/install-root-dir) + export LUAJIT_LIB=/usr/local/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/local/include/luajit-2.1 + export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 + + ln -s /usr/local/bin/luajit /usr/local/bin/lua + ln -s "$LUAJIT_INC" /usr/local/include/lua + ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + + ARCH=$(uname -m) + + # Get Brotli source and deps + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: ngx_brotl ::::" + echo "::::::::::::::::::::::::::::::::::::::" + cd "$BUILD_PATH" + git clone --depth=1 https://github.com/google/ngx_brotli.git + cd ngx_brotli + git submodule init + git submodule update + + + git clone --depth=1 -b {{ .MODSECURITY_LIB_VERSION }} https://github.com/SpiderLabs/ModSecurity + + mkdir -p ${{targets.destdir}}/etc/nginx/modsecurity + cp ModSecurity/modsecurity.conf-recommended ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf + cp ModSecurity/unicode.mapping ${{targets.destdir}}/etc/nginx/modsecurity/unicode.mapping + + # Replace serial logging with concurrent + sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf + + # Concurrent logging implies the log is stored in several files + echo "SecAuditLogStorageDir /var/log/audit/" >> ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf + + # Download owasp modsecurity crs + cd ${{targets.destdir}}/etc/nginx/ + + git clone -b {{ .OWASP_MODSECURITY_CRS_VERSION }} https://github.com/coreruleset/coreruleset owasp-modsecurity-crs + cd owasp-modsecurity-crs + + mv crs-setup.conf.example crs-setup.conf + mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + cd ${{targets.destdir}}/etc/nginx/ + + # OWASP CRS v3 rules + echo ' + Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + ' > ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + + + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: nginx-{{ .NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + cd "$BUILD_PATH/nginx-{{ .NGINX_VERSION }}" + + WITH_FLAGS="--with-debug \ + --with-compat \ + --with-pcre-jit \ + --with-http_ssl_module \ + --with-http_stub_status_module \ + --with-http_realip_module \ + --with-http_auth_request_module \ + --with-http_addition_module \ + --with-http_geoip_module \ + --with-http_gzip_static_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_realip_module \ + --with-stream_ssl_preread_module \ + --with-threads \ + --with-http_secure_link_module \ + --with-http_gunzip_module" + + # "Combining -flto with -g is currently experimental and expected to produce unexpected results." + # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html + CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ + -Wformat \ + -Werror=format-security \ + -Wno-deprecated-declarations \ + -fno-strict-aliasing \ + -D_FORTIFY_SOURCE=2 \ + --param=ssp-buffer-size=4 \ + -DTCP_FASTOPEN=23 \ + -fPIC \ + -I$HUNTER_INSTALL_DIR/include \ + -Wno-cast-function-type" + + LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib" + + + WITH_FLAGS="--with-debug \ + --with-compat \ + --with-pcre-jit \ + --with-http_ssl_module \ + --with-http_stub_status_module \ + --with-http_realip_module \ + --with-http_auth_request_module \ + --with-http_addition_module \ + --with-http_geoip_module \ + --with-http_gzip_static_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_realip_module \ + --with-stream_ssl_preread_module \ + --with-threads \ + --with-http_secure_link_module \ + --with-http_gunzip_module" + + WITH_MODULES=" \ + --add-module=${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \ + --add-module=${BUILD_PATH}/set-misc-nginx-module-{{ .SETMISC_VERSION }} \ + --add-module=${BUILD_PATH}/headers-more-nginx-module-{{ .MORE_HEADERS_VERSION }} \ + --add-module=${BUILD_PATH}/ngx_http_substitutions_filter_module-{{ .NGINX_SUBSTITUTIONS }} \ + --add-module=${BUILD_PATH}/lua-nginx-module-{{ .LUA_NGX_VERSION }} \ + --add-module=${BUILD_PATH}/stream-lua-nginx-module-{{ .LUA_STREAM_NGX_VERSION }} \ + --add-module=${BUILD_PATH}/lua-upstream-nginx-module-{{ .LUA_UPSTREAM_VERSION }} \ + --add-module=${BUILD_PATH}/nginx_ajp_module-{{ .NGINX_AJP_VERSION }} \ + --add-dynamic-module=${BUILD_PATH}/nginx-http-auth-digest-{{ .NGINX_DIGEST_AUTH }} \ + --add-dynamic-module=${BUILD_PATH}/nginx-influxdb-module-{{ .NGINX_INFLUXDB_VERSION }} \ + --add-dynamic-module=${BUILD_PATH}/nginx-opentracing-{{ .NGINX_OPENTRACING_VERSION }}/opentracing \ + --add-dynamic-module=${BUILD_PATH}/ModSecurity-nginx-{{ .MODSECURITY_NGINX_VERSION }} \ + --add-dynamic-module=${BUILD_PATH}/ngx_http_geoip2_module-{{ .GEOIP2_VERSION }} \ + --add-dynamic-module=${BUILD_PATH}/ngx_brotli" + + # "Combining -flto with -g is currently experimental and expected to produce unexpected results." + # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html + CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ + -Wformat \ + -Werror=format-security \ + -Wno-deprecated-declarations \ + -fno-strict-aliasing \ + -D_FORTIFY_SOURCE=2 \ + --param=ssp-buffer-size=4 \ + -DTCP_FASTOPEN=23 \ + -fPIC \ + -I$HUNTER_INSTALL_DIR/include \ + -Wno-cast-function-type" + + LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib" + + if [[ ${ARCH} != "aarch64" ]]; then + WITH_FLAGS="${WITH_FLAGS} --with-file-aio" + fi + + if [[ ${ARCH} == "x86_64" ]]; then + CC_OPT="${CC_OPT} -m64 -mtune=generic" + fi + + echo "::::::::::::::::::::::::::::::::::::::::::::::::" + echo ":::: Configuring nginx-{{ .NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::::::::::::" + ./configure \ + --prefix=/usr/local/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/etc/nginx/modules \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --lock-path=/var/lock/nginx.lock \ + --pid-path=/run/nginx.pid \ + --http-client-body-temp-path=/var/lib/nginx/body \ + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ + --http-proxy-temp-path=/var/lib/nginx/proxy \ + --http-scgi-temp-path=/var/lib/nginx/scgi \ + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + ${WITH_FLAGS} \ + --without-mail_pop3_module \ + --without-mail_smtp_module \ + --without-mail_imap_module \ + --without-http_uwsgi_module \ + --without-http_scgi_module \ + --with-cc-opt="${CC_OPT}" \ + --with-ld-opt="${LD_OPT}" \ + --user=www-data \ + --group=www-data \ + ${WITH_MODULES} + + echo "::::::::::::::::::::::::::::::::::::::::::" + echo ":::: MAKE nginx-{{ .NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::::::" + make + + echo "::::::::::::::::::::::::::::::::::::::::::::" + echo ":::: MODULES nginx-{{ .NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::::::::" + make DESTDIR="${{targets.destdir}}" modules + + echo "::::::::::::::::::::::::::::::::::::::::::::" + echo ":::: INSTALL nginx-{{ .NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::::::::" + make DESTDIR="${{targets.destdir}}" install + + + echo "::::::::::::::::::::::::::::::::::::::::::::" + echo ":::::::::::::::: CLEANUP :::::::::::::::::::" + echo "::::::::::::::::::::::::::::::::::::::::::::" + + echo "Clean up owasp-modsecurity-crs" + rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git + rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests + + echo "Clean up everything else" + cd ${BUILD_PATH} + rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \ + ${BUILD_PATH}/set-misc-nginx-module-{{ .SETMISC_VERSION }} \ + ${BUILD_PATH}/headers-more-nginx-module-{{ .MORE_HEADERS_VERSION }} \ + ${BUILD_PATH}/ngx_http_substitutions_filter_module-{{ .NGINX_SUBSTITUTIONS }} \ + ${BUILD_PATH}/lua-nginx-module-{{ .LUA_NGX_VERSION }} \ + ${BUILD_PATH}/stream-lua-nginx-module-{{ .LUA_STREAM_NGX_VERSION }} \ + ${BUILD_PATH}/lua-upstream-nginx-module-{{ .LUA_UPSTREAM_VERSION }} \ + ${BUILD_PATH}/nginx_ajp_module-{{ .NGINX_AJP_VERSION }} \ + ${BUILD_PATH}/nginx-http-auth-digest-{{ .NGINX_DIGEST_AUTH }} \ + ${BUILD_PATH}/nginx-influxdb-module-{{ .NGINX_INFLUXDB_VERSION }} \ + ${BUILD_PATH}/nginx-opentracing-{{ .NGINX_OPENTRACING_VERSION }}/opentracing \ + ${BUILD_PATH}/ModSecurity-nginx-{{ .MODSECURITY_NGINX_VERSION }} \ + ${BUILD_PATH}/ngx_http_geoip2_module-{{ .GEOIP2_VERSION }} \ + ${BUILD_PATH}/ngx_brotli diff --git a/distroless-build/melange/opentracing.yaml b/distroless-build/melange/opentracing.yaml new file mode 100644 index 000000000..b50f28bbd --- /dev/null +++ b/distroless-build/melange/opentracing.yaml @@ -0,0 +1,55 @@ +package: + name: opentracing + version: {{ .OPENTRACING_CPP_VERSION }} + epoch: 0 + description: "C++ implementation of the OpenTracing API http://opentracing.io" + target-architecture: + - all + copyright: + - paths: + - "*" + license: Apache-2.0 license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/opentracing/opentracing-cpp/archive/{{ .OPENTRACING_CPP_VERSION }}.tar.gz + expected-sha256: {{ .OPENTRACING_CPP_VERSION_SHA }} + strip-components: 1 + - name: 'Configure OPENTRACING CPP' + with: + OPENTRACING_CPP_VERSION: {{ .OPENTRACING_CPP_VERSION }} + runs: | + + cmake -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_TESTING=OFF \ + -DBUILD_SHARED_LIBS=OFF \ + -DBUILD_MOCKTRACER=OFF \ + -DBUILD_STATIC_LIBS=ON \ + -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ + . + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/ssdeep.yaml b/distroless-build/melange/ssdeep.yaml new file mode 100644 index 000000000..c42ae10c9 --- /dev/null +++ b/distroless-build/melange/ssdeep.yaml @@ -0,0 +1,57 @@ +package: + name: ssdeep + version: 2.14.1 + epoch: 0 + description: "Fuzzy hashing API and fuzzy hashing tool" + target-architecture: + - all + copyright: + - paths: + - "*" + license: GPL-2.0 license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + - autoconf + - automake + - pkgconf + - make + - automake + - libtool + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/ssdeep-project/ssdeep/archive/refs/tags/release-2.14.1.tar.gz + expected-sha256: d96f667a8427ad96da197884574c7ca8c7518a37d9ac8593b6ea77e7945720a4 + strip-components: 1 + - name: 'Configure SSDEEP' + with: + YAML_CPP_VERSION: {{ .YAML_CPP_VERSION }} + runs: | + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: ssdeep ::::" + echo "::::::::::::::::::::::::::::::::::::::" + ./bootstrap + ./configure + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/wait-shutdown.yaml b/distroless-build/melange/wait-shutdown.yaml new file mode 100644 index 000000000..4d48ac8dd --- /dev/null +++ b/distroless-build/melange/wait-shutdown.yaml @@ -0,0 +1,59 @@ +package: + name: waitshutdown + version: {{ .INGRESS_NGINX_VERSION }} + epoch: 0 + description: "waitshutdown is a tool for terminating ingress controller nginx instance" + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: Apache-2.0 + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + packages: + - alpine-baselayout-data + - ca-certificates-bundle + - tree + - go + - bash + - curl + - ca-certificates-bundle + - git + - openssh-client + - make + - gcc + - busybox + - build-base +pipeline: + - uses: git-checkout + with: + repository: https://github.com/kubernetes/ingress-nginx + tag: ${{package.version}} + - name: Build ingress-nginx controller from source + with: + PKG: {{ .PKG }} + TAG: {{ .TAG }} + COMMIT_SHA: {{ .COMMIT_SHA }} + REPO_INFO: {{ .REPO_INFO }} + runs: | + set -o errexit + set -o nounset + set -o pipefail + + mkdir -p ${{targets.destdir}} + + + go build -v \ + -trimpath -ldflags="-buildid= -w -s \ + -X {{ .PKG }}/version.RELEASE={{ .TAG }} \ + -X {{ .PKG }}/version.COMMIT={{ .COMMIT_SHA }} \ + -X {{ .PKG }}/version.REPO={{ .REPO_INFO }}" \ + -o "${{targets.destdir}}/wait-shutdown" {{ .PKG }}/cmd/waitshutdown diff --git a/distroless-build/melange/yaml.yaml b/distroless-build/melange/yaml.yaml new file mode 100644 index 000000000..ebd57c7d5 --- /dev/null +++ b/distroless-build/melange/yaml.yaml @@ -0,0 +1,57 @@ +package: + name: yaml-cpp + version: {{ .YAML_CPP_VERSION }} + epoch: 0 + description: "yaml-cpp is a YAML parser and emitter in C++ matching the YAML 1.2 spec." + target-architecture: + - all + copyright: + - paths: + - "*" + license: MIT + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/jbeder/yaml-cpp/archive/{{ .YAML_CPP_VERSION }}.tar.gz + expected-sha256: {{ .YAML_CPP_VERSION_SHA }} + strip-components: 1 + - name: 'Configure YAML_CPP' + with: + YAML_CPP_VERSION: {{ .YAML_CPP_VERSION }} + runs: | + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: yaml-cpp-{{ .YAML_CPP_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + cmake -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ + -DYAML_BUILD_SHARED_LIBS=ON \ + -DYAML_CPP_BUILD_TESTS=OFF \ + -DYAML_CPP_BUILD_TOOLS=OFF . + - uses: autoconf/make + - uses: autoconf/make-install diff --git a/distroless-build/melange/zipkin.yaml b/distroless-build/melange/zipkin.yaml new file mode 100644 index 000000000..ad377a7e9 --- /dev/null +++ b/distroless-build/melange/zipkin.yaml @@ -0,0 +1,69 @@ +package: + name: zipkin-cpp + version: {{ .ZIPKIN_CPP_VERSION }} + epoch: 0 + description: "OpenTracing implementation for Zipkin in C++." + target-architecture: + - all + copyright: + - paths: + - "*" + license: Apache-2.0 license + dependencies: + runtime: + +environment: + contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - busybox + - build-base + - ssl_client + - ca-certificates-bundle + - cmake + - curl + - curl-dev + - opentracing@local + + accounts: + groups: + - groupname: www-data + gid: 10000 + users: + - username: www-data + uid: 10000 + +pipeline: + - uses: fetch + with: + uri: https://github.com/rnburn/zipkin-cpp-opentracing/archive/{{ .ZIPKIN_CPP_VERSION }}.tar.gz + expected-sha256: {{ .ZIPKIN_CPP_VERSION_SHA }} + strip-components: 1 + - name: 'Configure ZIPKIN CPP VERSION' + with: + OPENTRACING_CPP_VERSION: {{ .ZIPKIN_CPP_VERSION }} + runs: | + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: zipkin-cpp-opentracing-{{ .ZIPKIN_CPP_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + cat < export.map + { + global: + OpenTracingMakeTracerFactory; + local: *; + }; + EOF + + cmake -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=OFF \ + -DBUILD_PLUGIN=ON \ + -DBUILD_TESTING=OFF \ + -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true . + + - uses: autoconf/make + - uses: autoconf/make-install