Skip to content

Move Docker build into reusable workflows, add NAP WAF #3250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 17, 2022
Merged

Move Docker build into reusable workflows, add NAP WAF #3250

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7038d91
Add NAP WAF images to the pipeline
lucacome Nov 15, 2022
32a6fd1
don't fail on actionlint
lucacome Nov 16, 2022
a1539b3
Merge branch 'main' into chore/add-waf-dos-images
lucacome Nov 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .github/actions/smoke-tests/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ runs:
id: ingress-type
run: |
echo "name=nginx${{ contains(inputs.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT
echo "tag=${{ inputs.image }}${{ contains(inputs.image, 'nap') && '-dos' || '' }}-${{ github.sha }}" >> $GITHUB_OUTPUT
echo "tag=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }}-${{ github.sha }}" >> $GITHUB_OUTPUT
echo "modules=${{ contains(inputs.marker, 'appprotect') && 'waf' || '' }}${{ contains(inputs.marker, 'dos') && 'dos' || '' }}" >> $GITHUB_OUTPUT
shell: bash

- name: Docker Buildx
Expand All @@ -53,16 +54,17 @@ runs:
with:
file: build/Dockerfile
context: '.'
cache-from: type=gha,scope=${{ inputs.image }}
cache-to: type=gha,scope=${{ inputs.image }},mode=max
cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }}
cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }},mode=max
target: goreleaser
tags: 'docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }}'
load: true
pull: true
build-args: |
BUILD_OS=${{ inputs.image }}
IC_VERSION=CI
${{ contains(inputs.image, 'nap') && 'NAP_MODULES=dos' || '' }}
${{ steps.ingress-type.outputs.modules != '' && format('NAP_MODULES={0}', steps.ingress-type.outputs.modules) || '' }}
${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
secrets: |
${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', inputs.nginx-crt) || '' }}
${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', inputs.nginx-key) || '' }}
Expand Down
173 changes: 173 additions & 0 deletions .github/workflows/build-oss.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
name: Build OSS

on:
workflow_call:
inputs:
platforms:
required: true
type: string
image:
required: true
type: string
tag:
required: false
type: string
sha_long:
required: false
type: string

defaults:
run:
shell: bash

jobs:
build:
runs-on: ubuntu-22.04
outputs:
version: ${{ steps.meta.outputs.version }}
image_digest: ${{ steps.build-push.outputs.digest }}
steps:
- name: Checkout Repository
uses: actions/checkout@v3
with:
ref: ${{ inputs.tag != '' && format('refs/tags/v{0}', inputs.tag) || github.ref }}
fetch-depth: 0

- name: Fetch Cached Artifacts
uses: actions/cache@v3
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi

- name: Setup QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm,arm64,ppc64le,s390x
if: github.event_name != 'pull_request'

- name: Docker Buildx
uses: docker/setup-buildx-action@v2
- name: DockerHub Login
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'

- name: Login to Public ECR
uses: docker/login-action@v2
with:
registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: github.event_name != 'pull_request'

- name: Login to Quay.io
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
if: github.event_name != 'pull_request'

- name: Get short tag
id: tag
run: |
version="${{ inputs.tag }}"
short="${version%.*}"
echo "short=$short" >> $GITHUB_OUTPUT
if: ${{ inputs.tag != '' }}

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: |
name=nginx/nginx-ingress
name=ghcr.io/nginxinc/kubernetes-ingress
name=public.ecr.aws/nginx/nginx-ingress
name=quay.io/nginx/nginx-ingress
flavor: |
latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }},onlatest=true
tags: |
type=edge
type=ref,event=pr
type=schedule
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
type=raw,value=${{ steps.tag.outputs.short }},enable=${{ inputs.tag != '' }}
labels: |
org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes
org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
org.opencontainers.image.vendor=NGINX Inc <[email protected]>
org.opencontainers.image.revision=${{ inputs.sha_long != '' && inputs.sha_long || github.sha }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/README.md
io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg
io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"[email protected]"}]
io.artifacthub.package.license=Apache-2.0
io.artifacthub.package.keywords=kubernetes,ingress,nginx,controller

- name: Build Docker image
uses: docker/build-push-action@v3
id: build-push
with:
file: build/Dockerfile
context: '.'
cache-from: type=gha,scope=${{ inputs.image }}
cache-to: type=gha,scope=${{ inputs.image }},mode=max
target: goreleaser
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
build-args: |
BUILD_OS=${{ inputs.image }}
IC_VERSION=${{ github.event_name == 'pull_request' && 'CI' || steps.meta.outputs.version }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
continue-on-error: true
with:
image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results-${{ inputs.image }}.sarif'
ignore-unfixed: 'true'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
with:
sarif_file: 'trivy-results-${{ inputs.image }}.sarif'

- name: Upload Scan Results
uses: actions/upload-artifact@v3
continue-on-error: true
with:
name: 'trivy-results-${{ inputs.image }}.sarif'
path: 'trivy-results-${{ inputs.image }}.sarif'
if: always()

send-notification:
name: Send Notification
needs: build
uses: ./.github/workflows/updates-notification.yml
with:
sha_long: ${{ inputs.sha_long }}
tag: ${{ inputs.tag }}
version: ${{ needs.build.outputs.version }}
image_digest: ${{ needs.build.outputs.image_digest }}
secrets: inherit
if: ${{ inputs.tag != '' }}
161 changes: 161 additions & 0 deletions .github/workflows/build-plus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
name: Build Plus

on:
workflow_call:
inputs:
platforms:
required: true
type: string
image:
required: true
type: string
target:
required: true
type: string
nap_modules:
required: false
type: string

defaults:
run:
shell: bash

jobs:
build:
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Fetch Cached Artifacts
uses: actions/cache@v3
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi

- name: Setup QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm64
if: github.event_name != 'pull_request'

- name: Docker Buildx
uses: docker/setup-buildx-action@v2

- name: GCR Login
uses: docker/login-action@v2
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GCR_JSON_KEY }}
if: github.event_name != 'pull_request'

- name: Login to ECR
uses: docker/login-action@v2
with:
registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: startsWith(github.ref, 'refs/tags/')

- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress,enable=${{ startsWith(github.ref, 'refs/tags/') }}
name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws') }}
flavor: |
suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }},onlatest=true
latest=${{ contains(inputs.target, 'aws') && 'false' || 'auto' }}
tags: |
type=edge
type=ref,event=pr
type=schedule,pattern={{date 'YYYYMMDD'}}
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.description=NGINX Plus Ingress Controller for Kubernetes
org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
org.opencontainers.image.vendor=NGINX Inc <[email protected]>

- name: NAP modules
id: nap_modules
run: |
modules=""
if [[ "${{ inputs.nap_modules }}" == "waf,dos" ]]; then
modules="both"
else
modules="${{ inputs.nap_modules }}"
fi
echo "modules=${modules}" >> $GITHUB_OUTPUT
if: ${{ inputs.nap_modules != '' }}

- name: Build Plus Docker image
uses: docker/build-push-action@v3
with:
file: build/Dockerfile
context: '.'
cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}
cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},mode=max
target: ${{ inputs.target }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
build-args: |
BUILD_OS=${{ inputs.image }}
IC_VERSION=${{ startsWith(github.ref, 'refs/tags/') && steps.meta.outputs.version || 'CI' }}
${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', inputs.nap_modules) || '' }}
${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
${{ contains(inputs.nap_modules, 'waf') && 'DEBIAN_VERSION=buster-slim' || '' }}
secrets: |
"nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"

- name: Load image for Trivy
uses: docker/build-push-action@v3
with:
file: build/Dockerfile
context: '.'
cache-from: type=gha,scope=${{ inputs.image }}
target: ${{ inputs.target }}
tags: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
load: true
build-args: |
BUILD_OS=${{ inputs.image }}
IC_VERSION=${{ startsWith(github.ref, 'refs/tags/') && steps.meta.outputs.version || 'CI' }}
${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', inputs.nap_modules) || '' }}
${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
${{ contains(inputs.nap_modules, 'waf') && 'DEBIAN_VERSION=buster-slim' || '' }}
secrets: |
"nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
continue-on-error: true
with:
image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results-${{ inputs.image }}.sarif'
ignore-unfixed: 'true'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
with:
sarif_file: 'trivy-results-${{ inputs.image }}.sarif'

- name: Upload Scan Results
uses: actions/upload-artifact@v3
continue-on-error: true
with:
name: 'trivy-results-${{ inputs.image }}.sarif'
path: 'trivy-results-${{ inputs.image }}.sarif'
if: always()
Loading