Use nginxcontrib/nginx-ubi as base image for UBI

lucacome · lucacome · commit 285ceeff3e10 · 2022-07-13T15:28:38.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -354,7 +354,7 @@ jobs:
           platforms: ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"]
           include:
             - image: ubi
-              platforms: "linux/arm64, linux/amd64, linux/s390x"
+              platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v3
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -21,8 +21,7 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
 	&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
-	&& ldconfig \
-	&& echo $NGINX_VERSION > nginx_version
+	&& ldconfig
 
 
 ############################################# Base image for Alpine #############################################
@@ -114,10 +113,9 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 
 
 ############################################# Base image for UBI #############################################
-FROM redhat/ubi8 AS ubi-base
+FROM nginxcontrib/nginx-ubi:1.23.0 AS ubi
 ARG IC_VERSION
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 LABEL name="NGINX Ingress Controller" \
 	maintainer="kubernetes@nginx.com" \
 	vendor="NGINX Inc" \
@@ -128,36 +126,20 @@ LABEL name="NGINX Ingress Controller" \
 	io.k8s.description="The NGINX Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \
 	io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift"
 
-RUN dnf --nodocs install -y shadow-utils ca-certificates \
-	# temp fix for CVE-2022-1271, CVE-2022-22576, CVE-2022-25313, CVE-2022-22576, CVE-2021-40528, CVE-2021-3634, CVE-2022-29824, CVE-2021-4189, CVE-2021-4189, CVE-2022-29824, CVE-2022-1621
-	&& dnf --nodocs upgrade -y xz-libs curl expat libcurl libgcrypt libssh libssh-config libxml2 platform-python python3-libs python3-libxml2 vim-minimal \
-	&& groupadd --system --gid 101 nginx \
-	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx
-
 COPY --link --chown=101:0 LICENSE /licenses/
 
 
-############################################# Base image for UBI OSS #############################################
-FROM ubi-base AS ubi
-
-RUN --mount=type=bind,from=debian,source=/nginx_version,target=/tmp/nginx_version \
-	export NGINX_VERSION=$(</tmp/nginx_version) \
-	&& rpm --import https://nginx.org/keys/nginx_signing.key \
-	&& version=$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1) \
-	&& printf "%s\n" "[nginx]" "name=nginx repo" \
-	"baseurl=https://nginx.org/packages/mainline/centos/${version}/\$basearch/" \
-	"gpgcheck=1" "enabled=1" "module_hotfixes=true" > /etc/yum.repos.d/nginx.repo \
-	&& dnf --nodocs install -y nginx-${NGINX_VERSION} \
-	&& rm /etc/yum.repos.d/nginx.repo
-
-
 ############################################# Base image for UBI with NGINX Plus #############################################
-FROM ubi-base AS ubi-plus
+FROM redhat/ubi8 AS ubi-plus
 ARG NGINX_PLUS_VERSION
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
-	rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \
+	dnf --nodocs install -y shadow-utils ca-certificates \
+	&& groupadd --system --gid 101 nginx \
+	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+	&& rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \
 	&& curl -fsSL "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \
 	&& sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \
 	&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs
diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md
@@ -47,7 +47,7 @@ All images include NGINX 1.23.0.
 | ---| ---| ---| --- | --- |
 |Alpine-based image | ``nginx:1.23.0-alpine``, which is based on ``alpine:3.16`` | NGINX OpenTracing module, OpenTracing library, OpenTracing tracers for Jaeger, Zipkin and Datadog | ``nginx/nginx-ingress:2.3.0-alpine`` | arm/v7, arm64, amd64, ppc64le, s390x |
 |Debian-based image | ``nginx:1.23.0``, which is based on ``debian:bullseye-slim`` | NGINX OpenTracing module, OpenTracing library, OpenTracing tracers for Jaeger, Zipkin and Datadog | ``nginx/nginx-ingress:2.3.0`` | arm/v7, arm64, amd64, ppc64le, s390x |
-|Ubi-based image | ``redhat/ubi8`` |  | ``nginx/nginx-ingress:2.3.0-ubi`` | arm64, amd64, s390x |
+|Ubi-based image | ``nginxcontrib/nginx-ubi:1.23.0``, which is based on ``redhat/ubi9-minimal`` |  | ``nginx/nginx-ingress:2.3.0-ubi`` | arm64, amd64, ppc64le, s390x |
 {{% /table %}}
 
 ### Images with NGINX Plus
