Build NGINX v1.25 image (#10629)

Author: rikatz

.github/workflows/nginx125.yaml

@@ -0,0 +1,167 @@
+name: NGINX v1.25 Image
+
+on:
+  pull_request:
+    branches:
+    - "*"
+    paths:
+    - 'images/nginx-1.25/**'
+  push:
+    branches:
+    - main
+    paths:
+    - 'images/nginx-1.25/**'
+
+permissions:
+    contents: read
+
+jobs:
+  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    outputs:
+      nginx: ${{ steps.filter.outputs.nginx }}
+      tag: ${{ steps.filter.outputs.tag }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+      id: filter
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        filters: |
+          nginx:
+          - 'images/nginx-1.25/**'
+          tag:
+          - 'images/nginx-1.25/TAG'
+
+  build:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (github.event_name != 'push' && github.ref != 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
+    env:
+      PLATFORMS: linux/amd64
+    steps:
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Set up Go
+      id: go
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      with:
+        go-version: '1.21.5'
+        check-latest: true
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      with:
+        version: latest
+        platforms: ${{ env.PLATFORMS }}
+    - name: Prepare Host
+      run: |
+        curl -LO https://dl.k8s.io/release/v1.27.3/bin/linux/amd64/kubectl
+        chmod +x ./kubectl
+        sudo mv ./kubectl /usr/local/bin/kubectl
+    - name: build-image
+      run: |
+        cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t nginx-1.25:1.0.0-dev .
+    - name: load-image
+      run: |
+        make clean-image build
+        make -C test/e2e-image image
+        docker build \
+          --platform linux \
+          --no-cache \
+          --build-arg BASE_IMAGE="nginx-1.25:1.0.0-dev" \
+          --build-arg VERSION="0.0.1-${{ github.sha }}" \
+          --build-arg TARGETARCH="amd64" \
+          --build-arg COMMIT_SHA="git-${{ github.sha }}" \
+          --build-arg BUILD_ID=""UNSET"" \
+          -t ingress-controller/controller:1.0.0-dev rootfs
+        docker save \
+          nginx-ingress-controller:e2e \
+          ingress-controller/controller:1.0.0-dev \
+          nginx-1.25:1.0.0-dev \
+          | gzip > docker.tar.gz
+    - name: cache
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      with:
+        name: docker.tar.gz
+        path: docker.tar.gz
+        retention-days: 2
+
+  e2e-test:
+    name: Kubernetes
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    strategy:
+      matrix:
+        k8s: [v1.27.3, v1.28.0, v1.29.0]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+  
+    - name: cache
+      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      with:
+        name: docker.tar.gz
+  
+    - name: Create Kubernetes ${{ matrix.k8s }} cluster
+      id: kind
+      run: |
+        kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
+  
+    - name: Load images from cache
+      run: |
+        echo "loading docker images..."
+        gzip -dc docker.tar.gz | docker load
+  
+    - name: Run e2e tests
+      env:
+        KIND_CLUSTER_NAME: kind
+        SKIP_CLUSTER_CREATION: true
+        SKIP_IMAGE_CREATION: true
+        SKIP_OPENTELEMETRY_TESTS: true
+      run: |
+        kind get kubeconfig > $HOME/.kube/kind-config-kind
+        make NGINX_BASE_IMAGE="nginx-1.25:1.0.0-dev" kind-e2e-test
+        
+  push:
+    permissions:
+      contents: write
+      packages: write
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.tag == 'true')
+    env:
+      PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/s390x
+    steps:
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      with:
+        version: latest
+        platforms: ${{ env.PLATFORMS }}
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: build-image
+      run: |
+        export TAG=$(cat images/nginx-1.25/TAG)
+        cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push --load -t ingressnginx/nginx-1.25:${TAG} .
+

Makefile

@@ -68,7 +68,6 @@ image: clean-image ## Build image for a particular arch.
 	docker build \
 		${PLATFORM_FLAG} ${PLATFORM} \
 		--no-cache \
-		--pull \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
 		--build-arg TARGETARCH="$(ARCH)" \
@@ -85,7 +84,6 @@ image-chroot: clean-chroot-image ## Build image for a particular arch.
 	echo "Building docker image ($(ARCH))..."
 	docker build \
 		--no-cache \
-		--pull \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
 		--build-arg TARGETARCH="$(ARCH)" \

images/nginx-1.25/Makefile

@@ -0,0 +1,59 @@
+# Copyright 2024 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.DEFAULT_GOAL:=build
+
+# set default shell
+SHELL=/bin/bash -o pipefail -o errexit
+
+DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
+INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
+
+# 0.0.0 shouldn't clobber any released builds
+SHORT_SHA ?=$(shell git rev-parse --short HEAD)
+TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA)
+
+REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
+
+IMAGE = $(REGISTRY)/nginx
+
+# required to enable buildx
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+# build with buildx
+PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x
+OUTPUT=
+PROGRESS=plain
+build: ensure-buildx
+	docker buildx build \
+		--platform=${PLATFORMS} $(OUTPUT) \
+		--progress=$(PROGRESS) \
+		--pull \
+		--tag $(IMAGE):$(TAG) rootfs
+
+# push the cross built image
+push: OUTPUT=--push
+push: build
+
+# enable buildx
+ensure-buildx:
+# this is required for cloudbuild
+ifeq ("$(wildcard $(INIT_BUILDX))","")
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
+else
+	@exec $(INIT_BUILDX)
+endif
+	@echo "done"
+
+.PHONY: build push ensure-buildx

images/nginx-1.25/README.md

@@ -0,0 +1,3 @@
+NGINX 1.25 base image
+
+**Don't use in production!!!**

images/nginx-1.25/TAG

@@ -0,0 +1 @@
+v0.0.1

images/nginx-1.25/cloudbuild.yaml

@@ -0,0 +1,17 @@
+timeout: 10800s
+options:
+  substitution_option: ALLOW_LOOSE
+  # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
+  machineType: E2_HIGHCPU_32
+steps:
+  - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90'
+    entrypoint: bash
+    env:
+      - DOCKER_CLI_EXPERIMENTAL=enabled
+      - REGISTRY=gcr.io/k8s-staging-ingress-nginx
+      - HOME=/root
+    args:
+    - -c
+    - |
+      gcloud auth configure-docker \
+      && cd images/nginx-1.25 && make push

images/nginx-1.25/rootfs/Dockerfile

@@ -0,0 +1,71 @@
+# Copyright 2024 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM alpine:3.19.0 as builder
+
+COPY . /
+
+RUN apk update \
+  && apk upgrade \
+  && apk add -U bash --no-cache \
+  && /build.sh
+
+# Use a multi-stage build
+FROM alpine:3.19.0
+
+ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
+
+ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;"
+ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
+
+COPY --from=builder /usr/local /usr/local
+COPY --from=builder /opt /opt
+COPY --from=builder /etc/nginx /etc/nginx
+
+RUN apk update \
+  && apk upgrade \
+  && apk add -U --no-cache \
+  bash \
+  openssl \
+  pcre \
+  zlib \
+  ca-certificates \
+  patch \
+  yajl \
+  lmdb \
+  libxml2 \
+  libmaxminddb \
+  yaml-cpp \
+  dumb-init \
+  tzdata \
+  && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
+  && adduser -S -D -H -u 101 -h /usr/local/nginx \
+  -s /sbin/nologin -G www-data -g www-data www-data \
+  && bash -eu -c ' \
+  writeDirs=( \
+  /var/log/nginx \
+  /var/lib/nginx/body \
+  /var/lib/nginx/fastcgi \
+  /var/lib/nginx/proxy \
+  /var/lib/nginx/scgi \
+  /var/lib/nginx/uwsgi \
+  /var/log/audit \
+  ); \
+  for dir in "${writeDirs[@]}"; do \
+  mkdir -p ${dir}; \
+  chown -R www-data.www-data ${dir}; \
+  done'
+
+EXPOSE 80 443
+
+CMD ["nginx", "-g", "daemon off;"]