From ea78b7d675ba597f75480b81571a1f80946810fe Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 27 Jun 2025 17:21:37 +0100 Subject: [PATCH 01/10] Update NGINX OSS to 1.29.0 --- build/Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index bad070f35..288e7e565 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -82,7 +82,7 @@ USER 101 ############################################# Base image for Alpine ############################################# -FROM nginx:1.27.5-alpine@sha256:65645c7bb6a0661892a8b03b89d0743208a18dd2f3f17a54ef4b76fb8e2f2a10 AS alpine +FROM nginx:1.29.0-alpine@sha256:b2e814d28359e77bd0aa5fed1939620075e4ffa0eb20423cc557b375bd5c14ad AS alpine ARG PACKAGE_REPO ARG NGINX_OSS_VERSION @@ -100,8 +100,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk ############################################# Base image for Debian ############################################# -FROM nginx:1.27.5@sha256:6784fb0834aa7dbbe12e3d7471e69c290df3e6ba810dc38b34ae33d3c1c05f7d AS debian -ARG NGINX_OSS_VERSION +FROM nginx:1.29.0@sha256:dc53c8f25a10f9109190ed5b59bda2d707a3bde0e45857ce9e1efaa32ff9cbc1 AS debian RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ From 54d2a09a9f83730abffbde9746a7954dce884b32 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 14 Jul 2025 16:56:53 +0100 Subject: [PATCH 02/10] update to agent 3.1 --- build/Dockerfile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 288e7e565..5809bc61f 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -93,7 +93,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk && export $(cat /tmp/user_agent) \ && printf "%s%s%s\n" "http://packages.nginx.org/nginx/mainline/alpine/v" `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` "/main" >> /etc/apk/repositories \ && printf "%s%s%s\n" "http://packages.nginx.org/nginx-agent/alpine/v" `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` "/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-module-otel~${NGINX_OSS_VERSION} "nginx-agent<3.1" \ + && apk add --no-cache nginx-module-otel~${NGINX_OSS_VERSION} nginx-agent~3.1 \ && ldconfig /usr/local/lib/ \ && agent.sh \ && sed -i -e '/nginx.org/d' /etc/apk/repositories @@ -115,7 +115,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s http://packages.nginx.org/nginx-agent/debian `lsb_release -cs` agent" >> /etc/apt/sources.list.d/nginx.list \ && printf "%s" "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" > /etc/apt/preferences.d/99nginx \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.0.* nginx-module-otel=${NGINX_OSS_VERSION}* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.1.* nginx-module-otel=${NGINX_OSS_VERSION}* \ && apt-get purge --auto-remove -y gpg \ && rm -rf /var/lib/apt/lists/* /etc/apt/preferences.d/99nginx /etc/apt/sources.list.d/nginx.list \ && agent.sh @@ -158,7 +158,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s && printf "%s\n" "[agent]" "name=agent repo" \ "baseurl=https://packages.nginx.org/nginx-agent/centos/9/\$basearch/" \ "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \ - && microdnf --nodocs install -y nginx-${NGINX_OSS_VERSION}* nginx-module-njs-${NGINX_OSS_VERSION}* nginx-module-otel-${NGINX_OSS_VERSION}* nginx-module-image-filter-${NGINX_OSS_VERSION}* nginx-module-xslt-${NGINX_OSS_VERSION}* nginx-agent-3.0.* \ + && microdnf --nodocs install -y nginx-${NGINX_OSS_VERSION}* nginx-module-njs-${NGINX_OSS_VERSION}* nginx-module-otel-${NGINX_OSS_VERSION}* nginx-module-image-filter-${NGINX_OSS_VERSION}* nginx-module-xslt-${NGINX_OSS_VERSION}* nginx-agent-3.1.* \ && rm /etc/yum.repos.d/nginx.repo \ && ubi-clean.sh @@ -178,7 +178,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ export $(cat /tmp/user_agent) \ && printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check "nginx-agent<3.1" libcap libcurl \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent~3.1 libcap libcurl \ && mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && agent.sh \ && sed -i -e '/nginx.com/d' /etc/apk/repositories @@ -219,7 +219,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache "nginx-agent<3" \ + && apk add --no-cache nginx-agent~3.1 \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -250,7 +250,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache "nginx-agent<3" \ + && apk add --no-cache nginx-agent~3.1 \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -307,7 +307,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode apt-get update \ && cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.0.* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.1.* \ && agent.sh \ && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-agent.sources @@ -384,7 +384,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && ubi-setup.sh \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-3.0.* \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-3.1.* \ && agent.sh \ && ubi-clean.sh From bfb690ec9e52fc757f92e03f707e836efebd952c Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 14 Jul 2025 17:16:34 +0100 Subject: [PATCH 03/10] update nginx version --- Makefile | 2 +- build/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 8376aa924..67136e067 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ VER = $(shell grep IC_VERSION .github/data/version.txt | cut -d '=' -f 2) GIT_TAG = $(shell git describe --exact-match --tags || echo untagged) VERSION = $(VER)-SNAPSHOT -NGINX_OSS_VERSION ?= 1.27 +NGINX_OSS_VERSION ?= 1.29 NGINX_PLUS_VERSION ?= R34 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key diff --git a/build/Dockerfile b/build/Dockerfile index 5809bc61f..6f1a32fc9 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1.16 ARG BUILD_OS=debian -ARG NGINX_OSS_VERSION=1.27 +ARG NGINX_OSS_VERSION=1.29 ARG NGINX_PLUS_VERSION=R34 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive From a88d8390a1225775a11ce93b0afdf195a80d6274 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 16 Jul 2025 10:31:54 +0100 Subject: [PATCH 04/10] Update Alpine from 3.21 to 3.22 --- build/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 6f1a32fc9..3bd66d1bc 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -13,7 +13,7 @@ ARG PACKAGE_REPO=pkgs.nginx.com FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi8@sha256:12b2f675a94fed04ab5787d78a27b4f8723991bdbe1403257e71de368e7ec852 AS ubi8-packages FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:c9c269ae1ae6a4608fe4e6536073cdea9445433de652fd8ac667992a1ed198d6 AS ubi9-packages FROM ghcr.io/nginx/alpine-fips:0.3.0-alpine3.19@sha256:449f1a149e81e36bb929ebd362433a06a158ff2a7e3ba05b4b8d9ea96d59ae91 AS alpine-fips-3.19 -FROM ghcr.io/nginx/alpine-fips:0.3.0-alpine3.21@sha256:5e5033f34ae7147ce8df928fa58c485bc08ded8ace22428b4c16df30e3b39901 AS alpine-fips-3.21 +FROM ghcr.io/nginx/alpine-fips:0.3.0-alpine3.22@sha256:86a8ec5ff400572d9004fcfe1468f9c22954ebd7d2b57910cb8d454f148f4ad4 AS alpine-fips-3.22 FROM redhat/ubi9-minimal:9.6@sha256:e6b39b0a2cd88c0d904552eee0dca461bc74fe86fda3648ca4f8150913c79d0f AS ubi-minimal FROM golang:1.24-alpine@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS golang-builder @@ -163,7 +163,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s && ubi-clean.sh ############################################# Base image for Alpine with NGINX Plus ############################################## -FROM alpine:3.21@sha256:b6a6be0ff92ab6db8acd94f5d1b7a6c2f0f5d10ce3c24af348d333ac6da80685 AS alpine-plus +FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 AS alpine-plus ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO @@ -190,7 +190,7 @@ ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} -RUN --mount=type=bind,from=alpine-fips-3.21,target=/tmp/fips/ \ +RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \ --mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \ mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ From 0efc50adc1e91b48f8a4d9c23ebdff7e124f503d Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 8 Aug 2025 09:17:19 +0100 Subject: [PATCH 05/10] Update agent to 3.2 --- build/Dockerfile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 3bd66d1bc..08679d8c4 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -93,7 +93,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk && export $(cat /tmp/user_agent) \ && printf "%s%s%s\n" "http://packages.nginx.org/nginx/mainline/alpine/v" `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` "/main" >> /etc/apk/repositories \ && printf "%s%s%s\n" "http://packages.nginx.org/nginx-agent/alpine/v" `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` "/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-module-otel~${NGINX_OSS_VERSION} nginx-agent~3.1 \ + && apk add --no-cache nginx-module-otel~${NGINX_OSS_VERSION} nginx-agent~3.2 \ && ldconfig /usr/local/lib/ \ && agent.sh \ && sed -i -e '/nginx.org/d' /etc/apk/repositories @@ -115,7 +115,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s http://packages.nginx.org/nginx-agent/debian `lsb_release -cs` agent" >> /etc/apt/sources.list.d/nginx.list \ && printf "%s" "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" > /etc/apt/preferences.d/99nginx \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.1.* nginx-module-otel=${NGINX_OSS_VERSION}* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.2.* nginx-module-otel=${NGINX_OSS_VERSION}* \ && apt-get purge --auto-remove -y gpg \ && rm -rf /var/lib/apt/lists/* /etc/apt/preferences.d/99nginx /etc/apt/sources.list.d/nginx.list \ && agent.sh @@ -158,7 +158,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s && printf "%s\n" "[agent]" "name=agent repo" \ "baseurl=https://packages.nginx.org/nginx-agent/centos/9/\$basearch/" \ "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \ - && microdnf --nodocs install -y nginx-${NGINX_OSS_VERSION}* nginx-module-njs-${NGINX_OSS_VERSION}* nginx-module-otel-${NGINX_OSS_VERSION}* nginx-module-image-filter-${NGINX_OSS_VERSION}* nginx-module-xslt-${NGINX_OSS_VERSION}* nginx-agent-3.1.* \ + && microdnf --nodocs install -y nginx-${NGINX_OSS_VERSION}* nginx-module-njs-${NGINX_OSS_VERSION}* nginx-module-otel-${NGINX_OSS_VERSION}* nginx-module-image-filter-${NGINX_OSS_VERSION}* nginx-module-xslt-${NGINX_OSS_VERSION}* nginx-agent-3.2.* \ && rm /etc/yum.repos.d/nginx.repo \ && ubi-clean.sh @@ -178,7 +178,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ export $(cat /tmp/user_agent) \ && printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent~3.1 libcap libcurl \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent~3.2 libcap libcurl \ && mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && agent.sh \ && sed -i -e '/nginx.com/d' /etc/apk/repositories @@ -219,7 +219,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~3.1 \ + && apk add --no-cache nginx-agent~3.2 \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -250,7 +250,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~3.1 \ + && apk add --no-cache nginx-agent~3.2 \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -307,7 +307,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode apt-get update \ && cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.1.* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=3.2.* \ && agent.sh \ && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-agent.sources @@ -384,7 +384,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && ubi-setup.sh \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-3.1.* \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-3.2.* \ && agent.sh \ && ubi-clean.sh From e61ec032d5b2f9c32978961cc0af432fa5934a89 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Tue, 12 Aug 2025 12:25:25 +0100 Subject: [PATCH 06/10] update agent v3 default conf --- tests/data/agent/agent-v3.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/data/agent/agent-v3.conf b/tests/data/agent/agent-v3.conf index c14a95d69..36d745653 100644 --- a/tests/data/agent/agent-v3.conf +++ b/tests/data/agent/agent-v3.conf @@ -12,6 +12,7 @@ log: allowed_directories: - /etc/nginx + - /etc/app_protect - /usr/local/etc/nginx - /usr/share/nginx/modules - /var/run/nginx From 30f57b73ad76bc66a39ffa076184f66ff1a25dd0 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 14 Aug 2025 12:27:24 +0100 Subject: [PATCH 07/10] Update PLUS to R35, OSS to 1.29.1, Update NAP WAF 5.8 --- .github/workflows/regression.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- Makefile | 4 +- build/Dockerfile | 20 +- charts/nginx-ingress/values.schema.json | 20 +- charts/nginx-ingress/values.yaml | 4 +- charts/tests/__snapshots__/helmunit_test.snap | 8 +- tests/data/modules/data.json | 224 +++++++++--------- tests/settings.py | 2 +- 9 files changed, 143 insertions(+), 143 deletions(-) diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 2d9ea4251..b04a75842 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -265,7 +265,7 @@ jobs: - name: Generate WAF v5 tgz from JSON run: | - docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.6.0 -p /data/wafv5.json -o /data/wafv5.tgz + docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz if: ${{ contains(matrix.images.image, 'nap-v5')}} - name: Run Regression Tests diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 239c5fbf7..4262667fd 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -146,7 +146,7 @@ jobs: - name: Generate WAF v5 tgz from JSON run: | - docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.6.0 -p /data/wafv5.json -o /data/wafv5.tgz + docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz if: ${{ contains(inputs.image, 'nap-v5')}} - name: Run Smoke Tests diff --git a/Makefile b/Makefile index 67136e067..41543868f 100644 --- a/Makefile +++ b/Makefile @@ -2,8 +2,8 @@ VER = $(shell grep IC_VERSION .github/data/version.txt | cut -d '=' -f 2) GIT_TAG = $(shell git describe --exact-match --tags || echo untagged) VERSION = $(VER)-SNAPSHOT -NGINX_OSS_VERSION ?= 1.29 -NGINX_PLUS_VERSION ?= R34 +NGINX_OSS_VERSION ?= 1.29.1 +NGINX_PLUS_VERSION ?= R35 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # Variables that can be overridden diff --git a/build/Dockerfile b/build/Dockerfile index 78f38de87..fb0a055c6 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.16 ARG BUILD_OS=debian -ARG NGINX_OSS_VERSION=1.29 -ARG NGINX_PLUS_VERSION=R34 +ARG NGINX_OSS_VERSION=1.29.1 +ARG NGINX_PLUS_VERSION=R35 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -82,7 +82,7 @@ USER 101 ############################################# Base image for Alpine ############################################# -FROM nginx:1.29.0-alpine@sha256:b2e814d28359e77bd0aa5fed1939620075e4ffa0eb20423cc557b375bd5c14ad AS alpine +FROM nginx:1.29.1-alpine3.22@sha256:599f75c32c9bfe5859e022f75d26e4d939f5b1097c7abc1add287d48ec100f1e AS alpine ARG PACKAGE_REPO ARG NGINX_OSS_VERSION @@ -100,7 +100,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk ############################################# Base image for Debian ############################################# -FROM nginx:1.29.0@sha256:dc53c8f25a10f9109190ed5b59bda2d707a3bde0e45857ce9e1efaa32ff9cbc1 AS debian +FROM nginx:1.29.1@sha256:33e0bbc7ca9ecf108140af6288c7c9d1ecc77548cbfd3952fd8466a75edefe57 AS debian RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ @@ -219,7 +219,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~3.2 \ + && apk add --no-cache nginx-agent~2 \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -250,14 +250,14 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~3.2 \ + && apk add --no-cache nginx-agent~2 \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ && cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \ && mkdir -p /etc/nginx/reporting/ \ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ - && apk add --no-cache app-protect-module-plus~=34.5.442 \ + && apk add --no-cache app-protect-module-plus~=35.5.498 \ && sed -i -e '/nginx.com/d' /etc/apk/repositories \ && nap-waf.sh \ agent.sh @@ -359,7 +359,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=debian-agent-12.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \ apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=2.* app-protect-module-plus=34+5.442* nginx-plus-module-appprotect=34+5.442* app-protect-plugin=6.16.0* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=2.* app-protect-module-plus=35+5.498* nginx-plus-module-appprotect=34+5.442* app-protect-plugin=6.20.0* \ && nap-waf.sh \ && agent.sh @@ -461,7 +461,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ && microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \ - && microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-2.* app-protect-module-plus-34+5.442* \ + && microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-2.* app-protect-module-plus-35+5.498* \ && nap-waf.sh \ && ubi-clean.sh \ && agent.sh @@ -531,7 +531,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import /tmp/nginx_signing.key \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-2.* \ - && dnf --nodocs install -y app-protect-module-plus-34+5.442* \ + && dnf --nodocs install -y app-protect-module-plus-35+5.498* \ && nap-waf.sh \ && agent.sh \ && dnf clean all diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 2acdefa40..6d919ef01 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -351,10 +351,10 @@ }, "tag": { "type": "string", - "default": "5.6.0", + "default": "5.8.0", "title": "The tag of the App Protect WAF v5 Enforcer image", "examples": [ - "5.6.0" + "5.8.0" ] }, "digest": { @@ -391,7 +391,7 @@ "examples": [ { "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.6.0", + "tag": "5.8.0", "pullPolicy": "IfNotPresent" } ] @@ -425,10 +425,10 @@ }, "tag": { "type": "string", - "default": "5.6.0", + "default": "5.8.0", "title": "The tag of the App Protect WAF v5 Config Manager image", "examples": [ - "5.6.0" + "5.8.0" ] }, "digest": { @@ -465,7 +465,7 @@ "examples": [ { "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.6.0", + "tag": "5.8.0", "pullPolicy": "IfNotPresent" } ] @@ -1953,7 +1953,7 @@ "port": 50000, "image": { "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.6.0", + "tag": "5.8.0", "pullPolicy": "IfNotPresent" }, "securityContext": {} @@ -1961,7 +1961,7 @@ "configManager": { "image": { "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.6.0", + "tag": "5.8.0", "pullPolicy": "IfNotPresent" }, "securityContext": { @@ -2596,7 +2596,7 @@ "port": 50000, "image": { "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.6.0", + "tag": "5.8.0", "pullPolicy": "IfNotPresent" }, "securityContext": {} @@ -2604,7 +2604,7 @@ "configManager": { "image": { "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.6.0", + "tag": "5.8.0", "pullPolicy": "IfNotPresent" }, "securityContext": { diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 8dc7579c2..a97d52d3f 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -84,7 +84,7 @@ controller: repository: private-registry.nginx.com/nap/waf-enforcer ## The tag of the App Protect WAF v5 Enforcer image. - tag: "5.6.0" + tag: "5.8.0" ## The digest of the App Protect WAF v5 Enforcer image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" @@ -100,7 +100,7 @@ controller: repository: private-registry.nginx.com/nap/waf-config-mgr ## The tag of the App Protect WAF v5 Configuration Manager image. - tag: "5.6.0" + tag: "5.8.0" ## The digest of the App Protect WAF v5 Configuration Manager image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index 78c8844e6..7f823f8fd 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -1932,7 +1932,7 @@ spec: - -weight-changes-dynamic-reload=false - name: waf-enforcer - image: my.private.reg/nap/waf-enforcer:5.6.0 + image: my.private.reg/nap/waf-enforcer:5.8.0 imagePullPolicy: "IfNotPresent" env: - name: ENFORCER_PORT @@ -1943,7 +1943,7 @@ spec: - name: app-protect-bd-config mountPath: /opt/app_protect/bd_config - name: waf-config-mgr - image: my.private.reg/nap/waf-config-mgr:5.6.0 + image: my.private.reg/nap/waf-config-mgr:5.8.0 imagePullPolicy: "IfNotPresent" securityContext: @@ -2514,7 +2514,7 @@ spec: - -agent-instance-group=app-protect-wafv5-agentv2-nginx-ingress-controller - name: waf-enforcer - image: my.private.reg/nap/waf-enforcer:5.6.0 + image: my.private.reg/nap/waf-enforcer:5.8.0 imagePullPolicy: "IfNotPresent" env: - name: ENFORCER_PORT @@ -2525,7 +2525,7 @@ spec: - name: app-protect-bd-config mountPath: /opt/app_protect/bd_config - name: waf-config-mgr - image: my.private.reg/nap/waf-config-mgr:5.6.0 + image: my.private.reg/nap/waf-config-mgr:5.8.0 imagePullPolicy: "IfNotPresent" securityContext: diff --git a/tests/data/modules/data.json b/tests/data/modules/data.json index b30eb79c7..2987e21bf 100644 --- a/tests/data/modules/data.json +++ b/tests/data/modules/data.json @@ -6,19 +6,19 @@ "packages": [ { "name": "nginx", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-module-njs", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-module-otel", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-agent", - "version": "3.0" + "version": "3.2" } ], "system": "debian", @@ -33,23 +33,23 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", - "version": "3.0" + "version": "3.2" } ], "system": "debian", @@ -64,27 +64,27 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-attack-signatures", @@ -110,31 +110,31 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-module-plus", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-plugin", - "version": "6.16.0" + "version": "6.20.0" }, { "name": "nginx-agent", @@ -152,27 +152,27 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-appprotectdos", - "version": "34+4" + "version": "35+4" }, { "name": "app-protect-dos", - "version": "34+4" + "version": "35+4" } ], "system": "debian", @@ -186,27 +186,27 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-attack-signatures", @@ -218,11 +218,11 @@ }, { "name": "nginx-plus-module-appprotectdos", - "version": "34+4" + "version": "35+4" }, { "name": "app-protect-dos", - "version": "34+4" + "version": "35+4" }, { "name": "nginx-agent", @@ -240,19 +240,19 @@ "packages": [ { "name": "nginx", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-module-njs", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-module-otel", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-agent", - "version": "3.0" + "version": "3.2" } ], "system": "alpine", @@ -267,23 +267,23 @@ "packages": [ { "name": "nginx-plus", - "version": "34-r2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", - "version": "3.0" + "version": "3.2" } ], "system": "alpine", @@ -298,23 +298,23 @@ "packages": [ { "name": "nginx-plus", - "version": "34-r2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", - "version": "3.0" + "version": "3.2" } ], "system": "alpine", @@ -329,19 +329,19 @@ "packages": [ { "name": "nginx-plus", - "version": "34-r2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", @@ -349,11 +349,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "34.5.442" + "version": "35+5.498" }, { "name": "app-protect", - "version": "34.5.442" + "version": "35+5.498" }, { "name": "app-protect-attack-signatures", @@ -375,19 +375,19 @@ "packages": [ { "name": "nginx-plus", - "version": "34-r2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", @@ -395,15 +395,15 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "34.5.442" + "version": "35+5.498" }, { "name": "app-protect-module-plus", - "version": "34.5.442" + "version": "35+5.498" }, { "name": "app-protect-plugin", - "version": "6.16.0" + "version": "6.20.0" } ], "system": "alpine", @@ -417,19 +417,19 @@ "packages": [ { "name": "nginx", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-module-njs", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-module-otel", - "version": "1.27.5" + "version": "1.29.1" }, { "name": "nginx-agent", - "version": "3.0" + "version": "3.2" } ], "system": "ubi", @@ -444,23 +444,23 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", - "version": "3.0" + "version": "3.2" } ], "system": "ubi", @@ -475,19 +475,19 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", @@ -495,11 +495,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-attack-signatures", @@ -521,19 +521,19 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", @@ -541,15 +541,15 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-module-plus", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-plugin", - "version": "6.16.0" + "version": "6.20.0" } ], "system": "ubi", @@ -563,19 +563,19 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", @@ -583,11 +583,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-attack-signatures", @@ -609,19 +609,19 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-agent", @@ -629,15 +629,15 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-module-plus", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-plugin", - "version": "6.16.0" + "version": "6.20.0" } ], "system": "ubi", @@ -651,27 +651,27 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-appprotectdos", - "version": "34+4" + "version": "35+4" }, { "name": "app-protect-dos", - "version": "34+4" + "version": "35+4" } ], "system": "ubi", @@ -685,27 +685,27 @@ "packages": [ { "name": "nginx-plus", - "version": "34-2" + "version": "35" }, { "name": "nginx-plus-module-njs", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-otel", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-fips-check", - "version": "34" + "version": "35" }, { "name": "nginx-plus-module-appprotect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "nginx-plus-module-appprotectdos", - "version": "34+4" + "version": "35+4" }, { "name": "nginx-agent", @@ -713,7 +713,7 @@ }, { "name": "app-protect", - "version": "34+5.442" + "version": "35+5.498" }, { "name": "app-protect-attack-signatures", @@ -725,7 +725,7 @@ }, { "name": "app-protect-dos", - "version": "34+4" + "version": "35+4" } ], "system": "ubi", diff --git a/tests/settings.py b/tests/settings.py index 66071c3eb..65b730c1b 100644 --- a/tests/settings.py +++ b/tests/settings.py @@ -33,4 +33,4 @@ # Nginx registry address to pull waf components from NGX_REG = "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr" # WAF component version to pull from above registry -WAF_V5_VERSION = "5.6.0" +WAF_V5_VERSION = "5.8.0" From 1075338b68688b5e4ea29cd6f03540c65939a07a Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 14 Aug 2025 12:54:56 +0100 Subject: [PATCH 08/10] update nap module --- build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index b7d3cfc21..4cd312e09 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -359,7 +359,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=debian-agent-12.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \ apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=2.* app-protect-module-plus=35+5.498* nginx-plus-module-appprotect=34+5.442* app-protect-plugin=6.20.0* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=2.* app-protect-module-plus=35+5.498* nginx-plus-module-appprotect=35+5.498* app-protect-plugin=6.20.0* \ && nap-waf.sh \ && agent.sh From 5ec2a5621ac1396a5d912ffdce20d1f400436cef Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 14 Aug 2025 15:19:30 +0100 Subject: [PATCH 09/10] fix data.json --- tests/data/modules/data.json | 40 ++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/data/modules/data.json b/tests/data/modules/data.json index 2987e21bf..1a80bcd7b 100644 --- a/tests/data/modules/data.json +++ b/tests/data/modules/data.json @@ -33,7 +33,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -64,7 +64,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -110,7 +110,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -152,7 +152,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -186,7 +186,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -267,7 +267,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-r1" }, { "name": "nginx-plus-module-njs", @@ -298,7 +298,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-r1" }, { "name": "nginx-plus-module-njs", @@ -329,7 +329,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-r1" }, { "name": "nginx-plus-module-njs", @@ -349,11 +349,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35.5.498" }, { "name": "app-protect", - "version": "35+5.498" + "version": "35.5.498" }, { "name": "app-protect-attack-signatures", @@ -375,7 +375,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-r1" }, { "name": "nginx-plus-module-njs", @@ -395,11 +395,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35.5.498" }, { "name": "app-protect-module-plus", - "version": "35+5.498" + "version": "35.5.498" }, { "name": "app-protect-plugin", @@ -444,7 +444,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -475,7 +475,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -521,7 +521,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -563,7 +563,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -609,7 +609,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -651,7 +651,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", @@ -685,7 +685,7 @@ "packages": [ { "name": "nginx-plus", - "version": "35" + "version": "35-1" }, { "name": "nginx-plus-module-njs", From f76bfca457ac7e697be848edab360ff84a6e0c72 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 14 Aug 2025 15:21:46 +0100 Subject: [PATCH 10/10] update oss version --- Makefile | 2 +- build/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 41543868f..3583c132b 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ VER = $(shell grep IC_VERSION .github/data/version.txt | cut -d '=' -f 2) GIT_TAG = $(shell git describe --exact-match --tags || echo untagged) VERSION = $(VER)-SNAPSHOT -NGINX_OSS_VERSION ?= 1.29.1 +NGINX_OSS_VERSION ?= 1.29 NGINX_PLUS_VERSION ?= R35 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key diff --git a/build/Dockerfile b/build/Dockerfile index 4cd312e09..a43b8389d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1.16 ARG BUILD_OS=debian -ARG NGINX_OSS_VERSION=1.29.1 +ARG NGINX_OSS_VERSION=1.29 ARG NGINX_PLUS_VERSION=R35 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive