From fbdd924a452da8720413fcf85f6a5116823bf0a9 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Wed, 25 Dec 2019 22:07:03 -0300 Subject: [PATCH 1/5] Update nginx image --- Makefile | 4 ++-- internal/ingress/controller/util.go | 2 +- rootfs/Dockerfile | 13 ++++--------- rootfs/etc/nginx/template/nginx.tmpl | 3 +-- test/e2e/annotations/redirect.go | 4 ++-- 5 files changed, 10 insertions(+), 16 deletions(-) diff --git a/Makefile b/Makefile index 0e078423d..334c5bdae 100644 --- a/Makefile +++ b/Makefile @@ -50,7 +50,7 @@ GOBUILD_FLAGS := -v ALL_ARCH = amd64 arm arm64 -QEMUVERSION = v4.1.0-1 +QEMUVERSION = v4.1.1-1 BUSTED_ARGS =-v --pattern=_test @@ -77,7 +77,7 @@ export E2E_CHECK_LEAKS export SLOW_E2E_THRESHOLD # Set default base image dynamically for each arch -BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):daf8634acf839708722cffc67a62e9316a2771c6 +BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):23612cfde79b6ae7af4d30c3a7aaac0dcb5e6a27 ifeq ($(ARCH),arm) QEMUARCH=arm diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go index b19145c4b..56273f639 100644 --- a/internal/ingress/controller/util.go +++ b/internal/ingress/controller/util.go @@ -73,7 +73,7 @@ func rlimitMaxNumFiles() int { } const ( - defBinary = "/usr/local/openresty/nginx/sbin/nginx" + defBinary = "/usr/local/nginx/sbin/nginx" cfgPath = "/etc/nginx/nginx.conf" ) diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index d93701db7..27b8fa224 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -31,10 +31,6 @@ RUN clean-install \ COPY --chown=www-data:www-data . / -RUN cp /usr/local/openresty/nginx/conf/mime.types /etc/nginx/mime.types \ - && cp /usr/local/openresty/nginx/conf/fastcgi_params /etc/nginx/fastcgi_params -RUN ln -s /usr/local/openresty/nginx/modules /etc/nginx/modules - # Fix permission during the build to avoid issues at runtime # with volumes (custom templates) RUN bash -eu -c ' \ @@ -53,15 +49,14 @@ RUN bash -eu -c ' \ RUN setcap cap_net_bind_service=+ep /nginx-ingress-controller \ && setcap -v cap_net_bind_service=+ep /nginx-ingress-controller -RUN setcap cap_net_bind_service=+ep /usr/local/openresty/nginx/sbin/nginx \ - && setcap -v cap_net_bind_service=+ep /usr/local/openresty/nginx/sbin/nginx +RUN setcap cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \ + && setcap -v cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx USER www-data # Create symlinks to redirect nginx logs to stdout and stderr docker log collector -RUN ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \ - && ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log \ - && ln -s /usr/local/openresty/nginx/logs/* /var/log/nginx +RUN ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log ENTRYPOINT ["/usr/bin/dumb-init", "--"] diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index c6ae5a373..5ee179516 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -600,8 +600,7 @@ http { } stream { - lua_package_cpath "/usr/local/lib/lua/?.so;/usr/lib/lua-platform-path/lua/5.1/?.so;;"; - lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;/usr/local/lib/lua/?.lua;;"; + lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;"; lua_shared_dict tcp_udp_configuration_data 5M; diff --git a/test/e2e/annotations/redirect.go b/test/e2e/annotations/redirect.go index c064d8304..152e4b9bb 100644 --- a/test/e2e/annotations/redirect.go +++ b/test/e2e/annotations/redirect.go @@ -72,7 +72,7 @@ var _ = framework.IngressNginxDescribe("Annotations - Redirect", func() { Expect(errs).To(BeNil()) Expect(resp.StatusCode).Should(BeNumerically("==", http.StatusMovedPermanently)) Expect(resp.Header.Get("Location")).Should(Equal(redirectURL)) - Expect(body).Should(ContainSubstring("openresty/")) + Expect(body).Should(ContainSubstring("nginx/")) }) It("should respond with a custom redirect code", func() { @@ -108,6 +108,6 @@ var _ = framework.IngressNginxDescribe("Annotations - Redirect", func() { Expect(errs).To(BeNil()) Expect(resp.StatusCode).Should(BeNumerically("==", redirectCode)) Expect(resp.Header.Get("Location")).Should(Equal(redirectURL)) - Expect(body).Should(ContainSubstring("openresty/")) + Expect(body).Should(ContainSubstring("nginx/")) }) }) From 025d4eacebae831206820e14347e327fc6f60e61 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Fri, 27 Dec 2019 20:08:30 -0300 Subject: [PATCH 2/5] Migrate to alpine linux --- Makefile | 2 +- deploy/cloud-generic/deployment.yaml | 4 ++-- deploy/static/mandatory.yaml | 4 ++-- deploy/static/with-rbac.yaml | 4 ++-- docs/examples/psp/psp.yaml | 2 +- rootfs/Dockerfile | 8 ++++---- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 334c5bdae..afa9726b9 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ export E2E_CHECK_LEAKS export SLOW_E2E_THRESHOLD # Set default base image dynamically for each arch -BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):23612cfde79b6ae7af4d30c3a7aaac0dcb5e6a27 +BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):4cad1304ef05799cd5b7eae5d2f49e36d12c5b21 ifeq ($(ARCH),arm) QEMUARCH=arm diff --git a/deploy/cloud-generic/deployment.yaml b/deploy/cloud-generic/deployment.yaml index 1efb26907..d75943a9d 100644 --- a/deploy/cloud-generic/deployment.yaml +++ b/deploy/cloud-generic/deployment.yaml @@ -30,8 +30,8 @@ spec: - ALL add: - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 + # www-data -> 101 + runAsUser: 101 env: - name: POD_NAME valueFrom: diff --git a/deploy/static/mandatory.yaml b/deploy/static/mandatory.yaml index d0d245c87..e55e3276f 100644 --- a/deploy/static/mandatory.yaml +++ b/deploy/static/mandatory.yaml @@ -232,8 +232,8 @@ spec: - ALL add: - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 + # www-data -> 101 + runAsUser: 101 env: - name: POD_NAME valueFrom: diff --git a/deploy/static/with-rbac.yaml b/deploy/static/with-rbac.yaml index ac068b0c2..aacb085ad 100644 --- a/deploy/static/with-rbac.yaml +++ b/deploy/static/with-rbac.yaml @@ -43,8 +43,8 @@ spec: - ALL add: - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 + # www-data -> 101 + runAsUser: 101 env: - name: POD_NAME valueFrom: diff --git a/docs/examples/psp/psp.yaml b/docs/examples/psp/psp.yaml index 047e86601..f840103bd 100644 --- a/docs/examples/psp/psp.yaml +++ b/docs/examples/psp/psp.yaml @@ -35,7 +35,7 @@ spec: runAsUser: rule: 'MustRunAsNonRoot' ranges: - - min: 33 + - min: 101 max: 65535 seLinux: rule: 'RunAsAny' diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index 27b8fa224..1ff30e443 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -25,21 +25,21 @@ CROSS_BUILD_COPY qemu-QEMUARCH-static /usr/bin/ WORKDIR /etc/nginx -RUN clean-install \ +RUN apk add -U --no-cache \ diffutils \ - libcap2-bin + libcap COPY --chown=www-data:www-data . / # Fix permission during the build to avoid issues at runtime # with volumes (custom templates) -RUN bash -eu -c ' \ +RUN bash -xeu -c ' \ writeDirs=( \ + /etc/ingress-controller \ /etc/ingress-controller/ssl \ /etc/ingress-controller/auth \ /var/log \ /var/log/nginx \ - /tmp \ ); \ for dir in "${writeDirs[@]}"; do \ mkdir -p ${dir}; \ From f9e2b7c14b46a9d42befc792e2dc403b751584fa Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Fri, 27 Dec 2019 20:33:28 -0300 Subject: [PATCH 3/5] Fix status code --- test/e2e/annotations/auth.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index ce927907b..66ab3d80b 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -214,7 +214,7 @@ var _ = framework.IngressNginxDescribe("Annotations - Auth", func() { Expect(resp.StatusCode).Should(Equal(http.StatusOK)) }) - It("should return status code 500 when authentication is configured with invalid content and Authorization header is sent", func() { + It("should return status code 401 when authentication is configured with invalid content and Authorization header is sent", func() { host := "auth" s := f.EnsureSecret( @@ -253,7 +253,7 @@ var _ = framework.IngressNginxDescribe("Annotations - Auth", func() { End() Expect(errs).Should(BeEmpty()) - Expect(resp.StatusCode).Should(Equal(http.StatusInternalServerError)) + Expect(resp.StatusCode).Should(Equal(http.StatusUnauthorized)) }) It(`should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured`, func() { From d9423340eb1c96272c1e5c0da84f7e30c0561869 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Sat, 4 Jan 2020 13:24:15 -0300 Subject: [PATCH 4/5] Update nginx image --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index afa9726b9..a67cbccb4 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ export E2E_CHECK_LEAKS export SLOW_E2E_THRESHOLD # Set default base image dynamically for each arch -BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):4cad1304ef05799cd5b7eae5d2f49e36d12c5b21 +BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):422f554ba9cb291b4402306d77e218dff63ffab4 ifeq ($(ARCH),arm) QEMUARCH=arm From 1f2820a3432e313e54a675b60020015dbf68c0f9 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Sat, 4 Jan 2020 15:17:24 -0300 Subject: [PATCH 5/5] GeoIP test are temporarily disabled --- test/e2e/settings/geoip2.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go index 28070a7d9..78d444023 100644 --- a/test/e2e/settings/geoip2.go +++ b/test/e2e/settings/geoip2.go @@ -37,6 +37,8 @@ var _ = framework.IngressNginxDescribe("Geoip2", func() { }) It("should only allow requests from specific countries", func() { + Skip("GeoIP test are temporarily disabled") + f.UpdateNginxConfigMapData("use-geoip2", "true") httpSnippetAllowingOnlyAustralia :=