From 151518f41379058af8f69466ed248927dbcfbe26 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Tue, 10 Dec 2024 18:02:13 +0800 Subject: [PATCH 1/5] add fips image to pipeline Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> --- .github/config/config-plus-nginx | 6 +++--- .github/data/matrix-smoke-nap.json | 16 ++++++++++++---- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx index 0490242f7d..546c636721 100644 --- a/.github/config/config-plus-nginx +++ b/.github/config/config-plus-nginx @@ -1,8 +1,8 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress" -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") export PUBLISH_OSS=false diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index 39c47a4e03..3d89f56e52 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -1,7 +1,7 @@ { "images": [ { - "label": "AP_WAF 1/4", + "label": "AP_WAF 1/5", "image": "ubi-8-plus-nap", "type": "plus", "nap_modules": "waf", @@ -9,7 +9,15 @@ "platforms": "linux/amd64" }, { - "label": "AP_WAF 2/4", + "label": "AP_WAF 2/5", + "image": "alpine-plus-nap-fips", + "type": "plus", + "nap_modules": "waf", + "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'", + "platforms": "linux/amd64" + }, + { + "label": "AP_WAF 3/5", "image": "ubi-9-plus-nap", "type": "plus", "nap_modules": "waf", @@ -17,7 +25,7 @@ "platforms": "linux/amd64" }, { - "label": "AP_WAF 3/4", + "label": "AP_WAF 4/5", "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", @@ -25,7 +33,7 @@ "platforms": "linux/amd64" }, { - "label": "AP_WAF 4/4", + "label": "AP_WAF 5/5", "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", From d1ede08977a4a27aefc82ea57170790693c22fb8 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 11 Dec 2024 12:37:29 +0000 Subject: [PATCH 2/5] re-add fips images to patching and release --- .github/config/config-plus-gcr-release | 6 +++--- .github/data/matrix-smoke-nap.json | 18 +++++------------- .github/data/matrix-smoke-plus.json | 4 ++-- .github/data/patch-images.json | 18 ++++++++++++++++++ 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release index 175f34cc3d..e1c6d12e01 100644 --- a/.github/config/config-plus-gcr-release +++ b/.github/config/config-plus-gcr-release @@ -1,7 +1,7 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-mktpl") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}") diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index 3d89f56e52..00da4fe68e 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -1,7 +1,7 @@ { "images": [ { - "label": "AP_WAF 1/5", + "label": "AP_WAF 1/4", "image": "ubi-8-plus-nap", "type": "plus", "nap_modules": "waf", @@ -9,15 +9,7 @@ "platforms": "linux/amd64" }, { - "label": "AP_WAF 2/5", - "image": "alpine-plus-nap-fips", - "type": "plus", - "nap_modules": "waf", - "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'", - "platforms": "linux/amd64" - }, - { - "label": "AP_WAF 3/5", + "label": "AP_WAF 2/4", "image": "ubi-9-plus-nap", "type": "plus", "nap_modules": "waf", @@ -25,7 +17,7 @@ "platforms": "linux/amd64" }, { - "label": "AP_WAF 4/5", + "label": "AP_WAF 3/4", "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", @@ -33,8 +25,8 @@ "platforms": "linux/amd64" }, { - "label": "AP_WAF 5/5", - "image": "debian-plus-nap", + "label": "AP_WAF 4/4", + "image": "alpine-plus-nap-fips", "type": "plus", "nap_modules": "waf", "marker": "'appprotect_watch or appprotect_batch or appprotect_integration or appprotect_waf_policies_vsr'", diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json index b92ba8cfac..572d6e4d8a 100644 --- a/.github/data/matrix-smoke-plus.json +++ b/.github/data/matrix-smoke-plus.json @@ -37,7 +37,7 @@ }, { "label": "ingresses 2/2", - "image": "alpine-plus", + "image": "alpine-plus-fips", "type": "plus", "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", "platforms": "linux/arm64, linux/amd64" @@ -51,7 +51,7 @@ }, { "label": "VSR 2/3", - "image": "alpine-plus", + "image": "alpine-plus-fips", "type": "plus", "marker": "'vsr_basic or vsr_canned or vsr_rewrite or vsr_redirects or vsr_upstream'", "platforms": "linux/arm64, linux/amd64" diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json index 9bb2490855..b258b2c4ce 100644 --- a/.github/data/patch-images.json +++ b/.github/data/patch-images.json @@ -35,6 +35,12 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", "platforms": "linux/arm64, linux/amd64" }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", + "source_os": "alpine-fips", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", + "platforms": "linux/arm64, linux/amd64" + }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", "source_os": "ubi", @@ -65,6 +71,12 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", "platforms": "linux/amd64" }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "alpine-fips", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", "source_os": "debian", @@ -83,6 +95,12 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", "platforms": "linux/amd64" }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", + "source_os": "alpine-fips", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", + "platforms": "linux/amd64" + }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress", "source_os": "debian", From 1176478a10fca12e27f082c720247d4c7963ab8b Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 11 Dec 2024 13:50:37 +0000 Subject: [PATCH 3/5] add fips images to tech specs --- site/content/technical-specifications.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/content/technical-specifications.md b/site/content/technical-specifications.md index 4bab37dac3..554569285c 100644 --- a/site/content/technical-specifications.md +++ b/site/content/technical-specifications.md @@ -74,6 +74,9 @@ NGINX Plus images are available through the F5 Container registry `private-regis |
Name
|
Base image
|
Third-party modules
| F5 Container Registry Image | Architectures | | ---| ---| --- | --- | --- | |Alpine-based image | ``alpine:3.20`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64
amd64 | +|Alpine-based image with FIPS inside | ``alpine:3.20`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 | +|Alpine-based image with NGINX App Protect WAF & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 | +|Alpine-based image with NGINX App Protect WAF v5 & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF v5

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 | |Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64
amd64 | |Debian-based image with NGINX App Protect WAF | ``debian:12-slim`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}` | amd64 | |Debian-based image with NGINX App Protect WAF v5 | ``debian:12-slim`` | NGINX App Protect WAF v5

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}` | amd64 | From 9c94b1f1e569c36405e0bc188e6dec4364b0ea1d Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 11 Dec 2024 13:53:50 +0000 Subject: [PATCH 4/5] remove FIPS note from release notes --- site/content/releases.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/site/content/releases.md b/site/content/releases.md index 6b8aa8c6d4..cbb810d778 100644 --- a/site/content/releases.md +++ b/site/content/releases.md @@ -8,14 +8,6 @@ toc: true weight: 2100 --- -{{< note >}} -FIPS compliant images are currently impacted by compatibility issues with a dependent library. - -We recommend against: -1. Patching older FIPS images, which could re-introduce the incompatible dependency. -2. Building new custom FIPS images. -{{< /note >}} - {{< note >}} In our next major release, `v4.0.0`, the default log library for NGINX Ingress Controller will be changed from `golang/glog` to `log/slog`. This will mean that logs generated by NGINX Ingress Controller will be in a structured format with the option to choose a `string` or `json` output. From 1b58431ccbdd9dbedb77c2b4a516d6aa957c1845 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 11 Dec 2024 14:17:47 +0000 Subject: [PATCH 5/5] switch tests for fips --- .github/data/matrix-smoke-nap.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index 00da4fe68e..1d780e7a7d 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -18,7 +18,7 @@ }, { "label": "AP_WAF 3/4", - "image": "debian-plus-nap", + "image": "alpine-plus-nap-fips", "type": "plus", "nap_modules": "waf", "marker": "appprotect_waf_policies_grpc", @@ -26,7 +26,7 @@ }, { "label": "AP_WAF 4/4", - "image": "alpine-plus-nap-fips", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "'appprotect_watch or appprotect_batch or appprotect_integration or appprotect_waf_policies_vsr'",