Skip to content

Commit ccc3655

Browse files
AlexFenlonAlexFenlon
committed
Allow easier updates to Agent versions on NAP images
1 parent 59a5d4e commit ccc3655

File tree

2 files changed

+28
-18
lines changed

2 files changed

+28
-18
lines changed

Makefile

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ VERSION = $(VER)-SNAPSHOT
55
NGINX_OSS_VERSION ?= 1.29
66
NGINX_PLUS_VERSION ?= R35
77
NGINX_AGENT_VERSION ?= 3.3
8+
NAP_AGENT_VERSION ?= 2.*
89
PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key
910

1011
# Variables that can be overridden
@@ -153,32 +154,32 @@ alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alp
153154

154155
.PHONY: alpine-image-nap-plus-fips
155156
alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS)
156-
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips
157+
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
157158

158159
.PHONY: alpine-image-nap-v5-plus-fips
159160
alpine-image-nap-v5-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAFv5 and FIPS)
160161
$(DOCKER_CMD) $(PLUS_ARGS) \
161-
--build-arg BUILD_OS=alpine-plus-nap-v5-fips
162+
--build-arg BUILD_OS=alpine-plus-nap-v5-fips --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
162163

163164
.PHONY: debian-image-plus
164165
debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus)
165166
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus --build-arg NGINX_AGENT_VERSION=$(NGINX_AGENT_VERSION)
166167

167168
.PHONY: debian-image-nap-plus
168169
debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF)
169-
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf
170+
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
170171

171172
.PHONY: debian-image-nap-v5-plus
172173
debian-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAFv5)
173-
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-v5
174+
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-v5 --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
174175

175176
.PHONY: debian-image-dos-plus
176177
debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect DoS)
177178
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=dos
178179

179180
.PHONY: debian-image-nap-dos-plus
180181
debian-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAF and DoS)
181-
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf,dos
182+
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf,dos --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
182183

183184
.PHONY: ubi-image
184185
ubi-image: build ## Create Docker image for Ingress Controller (UBI)
@@ -190,29 +191,29 @@ ubi-image-plus: build ## Create Docker image for Ingress Controller (UBI with NG
190191

191192
.PHONY: ubi-image-nap-plus
192193
ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF)
193-
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf
194+
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
194195

195196
.PHONY: ubi8-image-nap-plus
196197
ubi8-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF)
197-
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=waf
198+
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=waf --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
198199

199200
.PHONY: ubi-image-nap-v5-plus
200201
ubi-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5)
201202
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \
202-
--build-arg BUILD_OS=ubi-9-plus-nap-v5
203+
--build-arg BUILD_OS=ubi-9-plus-nap-v5 --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
203204

204205
.PHONY: ubi8-image-nap-v5-plus
205206
ubi8-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5)
206207
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \
207-
--build-arg BUILD_OS=ubi-8-plus-nap-v5
208+
--build-arg BUILD_OS=ubi-8-plus-nap-v5 --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
208209

209210
.PHONY: ubi-image-dos-plus
210211
ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect DoS)
211212
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=dos
212213

213214
.PHONY: ubi-image-nap-dos-plus
214215
ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and DoS)
215-
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf,dos
216+
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf,dos --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION)
216217

217218
.PHONY: all-images ## Create all the Docker images for Ingress Controller
218219
all-images: alpine-image alpine-image-plus alpine-image-plus-fips alpine-image-nap-plus-fips debian-image debian-image-plus debian-image-nap-plus debian-image-dos-plus debian-image-nap-dos-plus ubi-image ubi-image-plus ubi-image-nap-plus ubi-image-dos-plus ubi-image-nap-dos-plus

build/Dockerfile

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ ARG BUILD_OS=debian
33
ARG NGINX_OSS_VERSION=1.29
44
ARG NGINX_PLUS_VERSION=R35
55
ARG NGINX_AGENT_VERSION=3.3
6+
ARG NAP_AGENT_VERSION=2.*
67
ARG DOWNLOAD_TAG=edge
78
ARG DEBIAN_FRONTEND=noninteractive
89
ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG}
@@ -208,6 +209,7 @@ RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \
208209
FROM alpine:3.19@sha256:3be987e6cde1d07e873c012bf6cfe941e6e85d16ca5fc5b8bedc675451d2de67 AS alpine-plus-nap-fips
209210
ARG NGINX_PLUS_VERSION
210211
ARG PACKAGE_REPO
212+
ARG NAP_AGENT_VERSION
211213

212214
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
213215

@@ -224,7 +226,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
224226
&& printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
225227
&& printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
226228
&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \
227-
&& apk add --no-cache nginx-agent~2 \
229+
&& apk add --no-cache nginx-agent~${NAP_AGENT_VERSION%.*} \
228230
&& mkdir -p /usr/ssl \
229231
&& cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \
230232
&& cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \
@@ -241,6 +243,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
241243
FROM alpine:3.19@sha256:3be987e6cde1d07e873c012bf6cfe941e6e85d16ca5fc5b8bedc675451d2de67 AS alpine-plus-nap-v5-fips
242244
ARG NGINX_PLUS_VERSION
243245
ARG PACKAGE_REPO
246+
ARG NAP_AGENT_VERSION
244247

245248
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
246249

@@ -255,7 +258,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
255258
&& printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
256259
&& printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
257260
&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \
258-
&& apk add --no-cache nginx-agent~2 \
261+
&& apk add --no-cache nginx-agent~${NAP_AGENT_VERSION%.*} \
259262
&& mkdir -p /usr/ssl \
260263
&& cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \
261264
&& cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \
@@ -321,6 +324,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
321324
FROM debian-plus-only AS debian-plus-nap
322325
ARG NAP_MODULES
323326
ARG NGINX_PLUS_VERSION
327+
ARG NAP_AGENT_VERSION
324328

325329
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
326330

@@ -337,7 +341,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
337341
cp /tmp/app-protect.sources /etc/apt/sources.list.d/app-protect.sources \
338342
&& cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \
339343
&& apt-get update \
340-
&& apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns nginx-agent=2.* \
344+
&& apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns nginx-agent=${NAP_AGENT_VERSION}* \
341345
&& rm -f /etc/apt/sources.list.d/app-protect.sources /etc/apt/sources.list.d/nginx-agent.sources \
342346
&& nap-waf.sh \
343347
&& agent.sh; \
@@ -354,6 +358,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
354358
############################################# Base image for Debian with NGINX Plus and App Protect WAFv5 #############################################
355359
FROM debian-plus-only AS debian-plus-nap-v5
356360
ARG NGINX_PLUS_VERSION
361+
ARG NAP_AGENT_VERSION
357362

358363
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
359364

@@ -365,7 +370,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
365370
--mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \
366371
--mount=type=bind,from=nginx-files,src=debian-agent-12.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \
367372
apt-get update \
368-
&& apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=2.* app-protect-module-plus=35+5.498* nginx-plus-module-appprotect=35+5.498* app-protect-plugin=6.20.0* \
373+
&& apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${NAP_AGENT_VERSION}* app-protect-module-plus=35+5.498* nginx-plus-module-appprotect=35+5.498* app-protect-plugin=6.20.0* \
369374
&& nap-waf.sh \
370375
&& agent.sh
371376

@@ -400,6 +405,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
400405
FROM ubi-minimal AS ubi-9-plus-nap
401406
ARG NAP_MODULES
402407
ARG BUILD_OS
408+
ARG NAP_AGENT_VERSION
403409

404410
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
405411
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
@@ -420,7 +426,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
420426
mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
421427
&& ubi-setup.sh \
422428
&& rpm -Uvh /ubi-bin/c-ares-*.rpm \
423-
&& microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel nginx-agent-2.* \
429+
&& microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}* \
424430
&& source /tmp/rhel_license \
425431
&& microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \
426432
&& rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
@@ -447,6 +453,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
447453

448454
############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 #############################################
449455
FROM ubi-minimal AS ubi-9-plus-nap-v5
456+
ARG NAP_AGENT_VERSION
450457

451458
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
452459
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
@@ -468,7 +475,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
468475
&& rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
469476
&& rpm -Uvh /ubi-bin/c-ares-*.rpm \
470477
&& microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \
471-
&& microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-2.* app-protect-module-plus-35+5.498* \
478+
&& microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}* app-protect-module-plus-35+5.498* \
472479
&& nap-waf.sh \
473480
&& ubi-clean.sh \
474481
&& agent.sh
@@ -478,6 +485,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
478485
FROM redhat/ubi8@sha256:534c2c0efa4150ede18e3f9d7480d3b9ec2a52e62bc91cd54e08ee7336819619 AS ubi-8-plus-nap
479486
ARG NGINX_PLUS_VERSION
480487
ARG BUILD_OS
488+
ARG NAP_AGENT_VERSION
481489

482490
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
483491

@@ -500,7 +508,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
500508
&& rpm --import /tmp/nginx_signing.key \
501509
&& rpm --import /tmp/app-protect-security-updates.key \
502510
&& rpm -Uvh /ubi-bin/c-ares-*.rpm \
503-
&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-2.* \
511+
&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}* \
504512
&& sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \
505513
&& subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} --name ${BUILD_OS}-$(uname -m) || true \
506514
&& subscription-manager attach \
@@ -516,6 +524,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
516524
############################################# Base image for UBI8 with NGINX Plus and App Protect WAFv5 #############################################
517525
FROM redhat/ubi8@sha256:534c2c0efa4150ede18e3f9d7480d3b9ec2a52e62bc91cd54e08ee7336819619 AS ubi-8-plus-nap-v5
518526
ARG NGINX_PLUS_VERSION
527+
ARG NAP_AGENT_VERSION
519528

520529
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
521530

@@ -537,7 +546,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
537546
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
538547
&& rpm --import /tmp/nginx_signing.key \
539548
&& rpm -Uvh /ubi-bin/c-ares-*.rpm \
540-
&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-2.* \
549+
&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}* \
541550
&& dnf --nodocs install -y app-protect-module-plus-35+5.498* \
542551
&& nap-waf.sh \
543552
&& agent.sh \

0 commit comments

Comments
 (0)