DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

testing the container

Browse source 
Signed-off-by: James Strong <strong.james.e@gmail.com>
This commit is contained in:
James Strong 2022-09-30 11:54:30 -04:00 committed by James Strong
parent f898307b98
commit 3f8337bffe
Failed to extract signature
8 changed files with 261 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
build/dev-apko.sh
View file

@ -106,6 +106,7 @@ controller:
image: "${DEV_IMAGE}" image: "${DEV_IMAGE}"
tag: "${TAG}" tag: "${TAG}"
digest: "${DIGEST}" digest: "${DIGEST}"
runAsUser: 0
config: config:
worker-processes: "1" worker-processes: "1"
podLabels: podLabels:

6
distroless-build/Makefile
View file

@ -36,7 +36,7 @@ REPO ?= packages
TEMPLATE ?= melange/nginx-templates.json TEMPLATE ?= melange/nginx-templates.json
MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS}
MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace
APKO_OPTS ?= -k ${KEY}.pub --debug --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml APKO_OPTS ?= -k ${KEY}.pub --debug --use-docker-mediatypes --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml
KEY ?= melange.rsa KEY ?= melange.rsa
REPO ?= $(shell pwd)/packages REPO ?= $(shell pwd)/packages
ARCHS?="amd64,arm64,arm/v6,arm/v7,s390x" ARCHS?="amd64,arm64,arm/v6,arm/v7,s390x"
@ -52,10 +52,10 @@ keygen: ## Generate Key pair for use with signing apks
melange: ## Build melange $FILE melange: ## Build melange $FILE
${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})' ${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})'
ingress-melange: ingress-build:
${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_INGRESS_OPT} --template '$(shell cat ${TEMPLATE})' ${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_INGRESS_OPT} --template '$(shell cat ${TEMPLATE})'
nginx-melange: nginx-build:
${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml --source-dir ${MELANGE_DIR}/${FILE} ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})' ${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml --source-dir ${MELANGE_DIR}/${FILE} ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})'
apko-build: ## Build an apko pipeline with $KEY and $FILE apko-build: ## Build an apko pipeline with $KEY and $FILE

217
distroless-build/apko/ingress-debug.yaml Normal file
View file

@ -0,0 +1,217 @@
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
- https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages'
packages:
- alpine-baselayout-data
- alpine-base
- apk-tools
- busybox
- dbg@local
- waitshutdown@local
- ingress-nginx@local
- dumb-init
- sudo
- bash
- strace
- libcap
- netcat-openbsd
- geoip-dev
- nginx@local
- opentracing@local
- msgpack-cpp@local
- datadog-cpp@local
- yaml-cpp@local
- zipkin-cpp@local
- modsecurity@local
- luaresty-balancer@local
- luacjson@local
- luajit@local
- lua-resty-cache@local
- lua-resty-cookie@local
- lua-resty-dns@local
- lua-resty-core@local
- lua-resty-global-throttle@local
- lua-resty-ipmatcher@local
- lua-resty-lock@local
- lua-resty-redis@local
- lua-resty-string@local
- lua-resty-upload@local
accounts:
groups:
- groupname: www-data
gid: 101
users:
- username: www-data
uid: 101
run-as: root
annotations:
org.opencontainers.image.title: "NGINX Ingress Controller for Kubernetes"
org.opencontainers.image.documentation: "https://kubernetes.github.io/ingress-nginx/"
org.opencontainers.image.source: "https://github.com/kubernetes/ingress-nginx"
org.opencontainers.image.vendor: "The Kubernetes Authors"
org.opencontainers.image.licenses: "Apache-2.0"
environment:
PATH: "$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin:/usr/local/nginx/sbin/"
LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;"
LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
LUAJIT_INC: "/usr/local/include/luajit-2.1"
LUAJIT_LIB: "/usr/local/lib"
LUA_LIB_DIR: "/usr/local/lib/lua"
work-dir: /etc/nginx
paths:
- path: /usr/bin/nginx
type: hardlink
source: /usr/local/nginx/sbin/nginx
permissions: 0o777
uid: 101
gid: 101
- path: /usr/local/certificates/
type: directory
permissions: 0o777
uid: 101
gid: 101
recursive: true
- path: /etc/ingress-controller/ssl
type: directory
permissions: 0o777
uid: 101
gid: 101
recursive: true
- path: /etc/ingress-controller/auth
type: directory
permissions: 0o777
uid: 101
gid: 101
recursive: true
- path: /usr/local/
type: directory
permissions: 0o777
uid: 101
gid: 101
recursive: true
- path: /usr/local/
type: directory
permissions: 0o777
uid: 101
gid: 101
recursive: true
- path: /usr/local/bin/lua
type: hardlink
source: /usr/local/bin/luajit
permissions: 0o777
uid: 101
gid: 101
- path: /var/lib/
type: directory
permissions: 0o777
uid: 101
gid: 101
recursive: true
- path: /var/log/nginx/
type: directory
uid: 101
gid: 101
permissions: 0o777
recursive: true
- path: /var/lib/nginx/
type: directory
uid: 101
gid: 101
permissions: 0o777
recursive: true
- path: /var/lib/nginx/body
type: directory
uid: 101
gid: 101
permissions: 0o777
recursive: true
- path: /usr/local/nginx
type: directory
uid: 101
gid: 101
permissions: 0o777
recursive: true
- path: /run/nginx
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /run/nginx.pid
uid: 101
gid: 101
type: empty-file
permissions: 0o777
recursive: true
- path: /etc/nginx/modules
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /etc/nginx
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /usr/local/nginx
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /opt/modsecurity/var/log
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /opt/modsecurity/var/upload
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /opt/modsecurity/var/audit
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /var/log
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /etc/ingress-controller
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /tmp/nginx
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /var/log/nginx/
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true
- path: /var/log/audit
uid: 101
gid: 101
type: directory
permissions: 0o777
recursive: true

65
distroless-build/apko/ingress.yaml
View file

@ -4,15 +4,10 @@ contents:
- https://dl-cdn.alpinelinux.org/alpine/edge/community - https://dl-cdn.alpinelinux.org/alpine/edge/community
- '@local /work/packages' - '@local /work/packages'
packages: packages:
- alpine-baselayout-data
- alpine-base
- apk-tools
- busybox
- dbg@local - dbg@local
- waitshutdown@local - waitshutdown@local
- ingress-nginx@local - ingress-nginx@local
- dumb-init - dumb-init
- bash
- geoip-dev - geoip-dev
- nginx@local - nginx@local
- opentracing@local - opentracing@local
@ -41,13 +36,19 @@ accounts:
users: users:
- username: www-data - username: www-data
uid: 101 uid: 101
run-as: 101 run-as: root
environments: annotations:
PATH: "$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin" org.opencontainers.image.title: "NGINX Ingress Controller for Kubernetes"
org.opencontainers.image.documentation: "https://kubernetes.github.io/ingress-nginx/"
org.opencontainers.image.source: "https://github.com/kubernetes/ingress-nginx"
org.opencontainers.image.vendor: "The Kubernetes Authors"
org.opencontainers.image.licenses: "Apache-2.0"
environment:
PATH: "$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin:/usr/local/nginx/sbin/"
LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;"
LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
:u: "/usr/local/include/luajit-2.1"
LUAJIT_INC: "/usr/local/include/luajit-2.1" LUAJIT_INC: "/usr/local/include/luajit-2.1"
LUAJIT_LIB: "/usr/local/lib" LUAJIT_LIB: "/usr/local/lib"
LUA_LIB_DIR: "/usr/local/lib/lua" LUA_LIB_DIR: "/usr/local/lib/lua"
@ -55,48 +56,36 @@ environments:
work-dir: /etc/nginx work-dir: /etc/nginx
paths: paths:
- path: /etc/ingress-controller/ssl
type: directory
permissions: 0o755
uid: 101
gid: 101
recursive: true
- path: /etc/ingress-controller/auth
type: directory
permissions: 0o755
uid: 101
gid: 101
recursive: true
- path: /usr/local/ - path: /usr/local/
type: directory type: directory
permissions: 0o755 permissions: 0o755
uid: 101 uid: 101
gid: 101 gid: 101
recursive: true recursive: true
- path: /usr/include/lua5.1 - path: /usr/local/
type: directory type: directory
permissions: 0o755 permissions: 0o755
uid: 101 uid: 101
gid: 101 gid: 101
recursive: true recursive: true
- path: /usr/local/bin/lua - path: /usr/local/bin/lua
type: symlink type: hardlink
source: /usr/local/bin/luajit source: /usr/local/bin/luajit
permissions: 0o755 permissions: 0o755
uid: 101 uid: 101
gid: 101 gid: 101
- path: /usr/local/include/lua
type: symlink
source: /usr/local/include/luajit-2.1
uid: 101
gid: 101
permissions: 0o755
- path: /usr/include/lua5.1
type: symlink
source: /usr/local/include/luajit-2.1
uid: 101
gid: 101
permissions: 0o755
- path: /usr/local/nginx/sbin/nginx
type: symlink
source: /sbin/nginx
uid: 101
gid: 101
permissions: 0o755
- path: /usr/bin/nginx
type: symlink
source: /usr/local/nginx/sbin/nginx
uid: 101
gid: 101
permissions: 0o755
- path: /var/lib/ - path: /var/lib/
type: directory type: directory
permissions: 0o755 permissions: 0o755
@ -181,12 +170,6 @@ paths:
type: directory type: directory
permissions: 0o755 permissions: 0o755
recursive: true recursive: true
- path: /etc/ingress-controller
uid: 101
gid: 101
type: directory
permissions: 0o755
recursive: true
- path: /tmp/nginx - path: /tmp/nginx
uid: 101 uid: 101
gid: 101 gid: 101

40
distroless-build/melange/nginx.yaml
View file

@ -215,11 +215,16 @@ pipeline:
set -o pipefail set -o pipefail
ls -lah ls -lah
ls -lah etc/nginx
export BUILD_PATH="${PWD}" export BUILD_PATH="${PWD}"
echo "BUILD_PATH $BUILD_PATH" echo "BUILD_PATH $BUILD_PATH"
echo "Arch: $(uname -m)" echo "Arch: $(uname -m)"
# improve compilation times
CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1))
export MAKEFLAGS=-j${CORES}
export CTEST_BUILD_FLAGS=${MAKEFLAGS}
export HUNTER_INSTALL_DIR=$(cat _3rdParty/Hunter/install-root-dir)
export LUAJIT_LIB=/usr/local/lib export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua" export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1 export LUAJIT_INC=/usr/local/include/luajit-2.1
@ -230,9 +235,12 @@ pipeline:
ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
ARCH=$(uname -m) ARCH=$(uname -m)
tree etc/nginx/
mkdir -p ${{targets.destdir}}/etc/nginx/ mkdir -p ${{targets.destdir}}/etc/nginx/
cp -R etc/nginx/ ${{targets.destdir}}/etc/nginx/ cp -R etc/nginx/geoip/ ${{targets.destdir}}/etc/nginx/
cp -R etc/nginx/lua/ ${{targets.destdir}}/etc/nginx/
cp -R etc/nginx/template/ ${{targets.destdir}}/etc/nginx/
cp -R etc/nginx/nginx.conf ${{targets.destdir}}/etc/nginx/
cp -R etc/nginx/opentracing.json ${{targets.destdir}}/etc/nginx/
tree ${{targets.destdir}}/etc/nginx/ tree ${{targets.destdir}}/etc/nginx/
# Get Brotli source and deps # Get Brotli source and deps
@ -339,23 +347,6 @@ pipeline:
--with-http_secure_link_module \ --with-http_secure_link_module \
--with-http_gunzip_module" --with-http_gunzip_module"
# "Combining -flto with -g is currently experimental and expected to produce unexpected results."
# https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
CC_OPT="-g -O2 -fPIE -fstack-protector-strong \
-Wformat \
-Werror=format-security \
-Wno-deprecated-declarations \
-fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 \
--param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \
-fPIC \
-I$HUNTER_INSTALL_DIR/include \
-Wno-cast-function-type"
LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib"
WITH_FLAGS="--with-debug \ WITH_FLAGS="--with-debug \
--with-compat \ --with-compat \
--with-pcre-jit \ --with-pcre-jit \
@ -403,10 +394,9 @@ pipeline:
--param=ssp-buffer-size=4 \ --param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \ -DTCP_FASTOPEN=23 \
-fPIC \ -fPIC \
-I$HUNTER_INSTALL_DIR/include \
-Wno-cast-function-type" -Wno-cast-function-type"
LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib" LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now"
if [[ ${ARCH} != "aarch64" ]]; then if [[ ${ARCH} != "aarch64" ]]; then
WITH_FLAGS="${WITH_FLAGS} --with-file-aio" WITH_FLAGS="${WITH_FLAGS} --with-file-aio"
@ -459,6 +449,8 @@ pipeline:
echo "::::::::::::::::::::::::::::::::::::::::::::" echo "::::::::::::::::::::::::::::::::::::::::::::"
make DESTDIR="${{targets.destdir}}" install make DESTDIR="${{targets.destdir}}" install
setcap cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \
&& setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \
echo "::::::::::::::::::::::::::::::::::::::::::::" echo "::::::::::::::::::::::::::::::::::::::::::::"
echo ":::::::::::::::: CLEANUP :::::::::::::::::::" echo ":::::::::::::::: CLEANUP :::::::::::::::::::"
@ -468,10 +460,10 @@ pipeline:
rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git
rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests
setcap cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \
&& setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \
echo "Clean up everything else" echo "Clean up everything else"
cd ${BUILD_PATH} cd ${BUILD_PATH}
rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \ rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \
${BUILD_PATH}/set-misc-nginx-module-{{ .SETMISC_VERSION }} \ ${BUILD_PATH}/set-misc-nginx-module-{{ .SETMISC_VERSION }} \
${BUILD_PATH}/headers-more-nginx-module-{{ .MORE_HEADERS_VERSION }} \ ${BUILD_PATH}/headers-more-nginx-module-{{ .MORE_HEADERS_VERSION }} \

BIN
distroless-build/melange/nginx/etc/nginx/geoip/GeoIP.dat Normal file
View file

Binary file not shown.

BIN
distroless-build/melange/nginx/etc/nginx/geoip/GeoIPASNum.dat Normal file
View file

Binary file not shown.

BIN
distroless-build/melange/nginx/etc/nginx/geoip/GeoLiteCity.dat Normal file
View file

Binary file not shown.