Skip to content

Commit e93ce37

Browse files
ciarams87ciarams87
committed
Build WAF image in pipeline
1 parent 61185c7 commit e93ce37

File tree

5 files changed

+62
-24
lines changed

5 files changed

+62
-24
lines changed

.github/workflows/build.yml

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -87,15 +87,15 @@ jobs:
8787
token_format: access_token
8888
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
8989
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
90-
if: ${{ github.event_name != 'pull_request' && contains(inputs.image, 'plus') }}
90+
if: ${{ github.event_name != 'pull_request' && (contains(inputs.image, 'plus') || inputs.image == 'plus-waf') }}
9191

9292
- name: Login to GAR
9393
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
9494
with:
9595
registry: us-docker.pkg.dev
9696
username: oauth2accesstoken
9797
password: ${{ steps.auth.outputs.access_token }}
98-
if: ${{ github.event_name != 'pull_request' && contains(inputs.image, 'plus') }}
98+
if: ${{ github.event_name != 'pull_request' && (contains(inputs.image, 'plus') || inputs.image == 'plus-waf') }}
9999

100100
- name: Docker meta
101101
id: meta
@@ -106,7 +106,9 @@ jobs:
106106
name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
107107
name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
108108
name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
109+
name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus-nap-waf,enable=${{ inputs.image == 'plus-waf' && github.event_name != 'pull_request' }}
109110
name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
111+
name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus-nap-waf,enable=${{ inputs.image == 'plus-waf' && github.event_name != 'pull_request' }}
110112
name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}
111113
flavor: |
112114
latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
@@ -134,7 +136,7 @@ jobs:
134136
- name: Build Docker Image
135137
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
136138
with:
137-
file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
139+
file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ (inputs.image == 'plus' || inputs.image == 'plus-waf') && '.nginxplus' || '' }}
138140
context: "."
139141
target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }}
140142
tags: ${{ steps.meta.outputs.tags }}
@@ -152,13 +154,30 @@ jobs:
152154
NJS_DIR=internal/controller/nginx/modules/src
153155
NGINX_CONF_DIR=internal/controller/nginx/conf
154156
BUILD_AGENT=gha
157+
${{ inputs.image == 'plus-waf' && 'ALPINE_VERSION=3.19' || '' }}
158+
${{ inputs.image == 'plus-waf' && 'INCLUDE_NAP_WAF=true' || '' }}
155159
secrets: |
156160
${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
157161
${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
158162
159163
- name: Inspect SBOM and output manifest
160164
run: |
165+
if [[ "${{ inputs.image }}" == "plus-waf" ]]; then
166+
# For plus-waf, use syft directly
167+
echo "Generating SBOM for plus-waf using syft..."
168+
169+
# Install syft if not available
170+
if ! command -v syft >/dev/null 2>&1; then
171+
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
172+
fi
173+
174+
# Generate SBOM using syft directly for plus-waf (known to work with NAP WAF)
175+
syft localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} -o spdx-json > sbom-${{ inputs.image }}.json
176+
echo "Generated SBOM using syft for plus-waf"
177+
else
178+
# For other images, use the standard Docker buildx approach
161179
docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-${{ inputs.image }}.json
180+
fi
162181
docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --raw
163182
164183
- name: Scan SBOM
@@ -176,4 +195,4 @@ jobs:
176195
with:
177196
sarif_file: ${{ steps.scan.outputs.sarif }}
178197
category: build-${{ inputs.image }}
179-
if: always()
198+
if: always() && steps.scan.conclusion == 'success'

.github/workflows/ci.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -222,6 +222,20 @@ jobs:
222222
id-token: write # for docker/login to login to NGINX registry
223223
secrets: inherit
224224

225+
build-plus-waf:
226+
name: Build Plus WAF images
227+
needs: [vars, binary]
228+
uses: ./.github/workflows/build.yml
229+
with:
230+
image: plus-waf
231+
platforms: "linux/amd64"
232+
permissions:
233+
contents: read # for docker/build-push-action to read repo content
234+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
235+
packages: write # for docker/build-push-action to push to GHCR
236+
id-token: write # for docker/login to login to NGINX registry
237+
secrets: inherit
238+
225239
functional-tests:
226240
name: Functional tests
227241
needs: [vars, build-oss, build-plus]

README.md

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -66,22 +66,22 @@ the [Issue Lifecycle](ISSUE_LIFECYCLE.md) document for information on issue crea
6666

6767
The following table lists the software versions NGINX Gateway Fabric supports.
6868

69-
| NGINX Gateway Fabric | Gateway API | Kubernetes | NGINX OSS | NGINX Plus | NGINX Agent |
70-
|----------------------|-------------|------------|-----------|------------|-------------|
71-
| Edge | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.3 |
72-
| 2.0.2 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.1 |
73-
| 2.0.1 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.1 |
74-
| 2.0.0 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.0 |
75-
| 1.6.2 | 1.2.1 | 1.25+ | 1.27.4 | R33 | --- |
76-
| 1.6.1 | 1.2.1 | 1.25+ | 1.27.4 | R33 | --- |
77-
| 1.6.0 | 1.2.1 | 1.25+ | 1.27.3 | R33 | --- |
78-
| 1.5.1 | 1.2.0 | 1.25+ | 1.27.2 | R33 | --- |
79-
| 1.5.0 | 1.2.0 | 1.25+ | 1.27.2 | R33 | --- |
80-
| 1.4.0 | 1.1.0 | 1.25+ | 1.27.1 | R32 | --- |
81-
| 1.3.0 | 1.1.0 | 1.25+ | 1.27.0 | R32 | --- |
82-
| 1.2.0 | 1.0.0 | 1.23+ | 1.25.4 | R31 | --- |
83-
| 1.1.0 | 1.0.0 | 1.23+ | 1.25.3 | n/a | --- |
84-
| 1.0.0 | 0.8.1 | 1.23+ | 1.25.2 | n/a | --- |
69+
| NGINX Gateway Fabric | Gateway API | Kubernetes | NGINX OSS | NGINX Plus | NGINX Agent | NGINX NAP WAF |
70+
|----------------------|-------------|------------|-----------|------------|-------------|---------------|
71+
| Edge | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.3 | 5.7.0. |
72+
| 2.0.2 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.1 | --- |
73+
| 2.0.1 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.1 | --- |
74+
| 2.0.0 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.0 | --- |
75+
| 1.6.2 | 1.2.1 | 1.25+ | 1.27.4 | R33 | --- | --- |
76+
| 1.6.1 | 1.2.1 | 1.25+ | 1.27.4 | R33 | --- | --- |
77+
| 1.6.0 | 1.2.1 | 1.25+ | 1.27.3 | R33 | --- | --- |
78+
| 1.5.1 | 1.2.0 | 1.25+ | 1.27.2 | R33 | --- | --- |
79+
| 1.5.0 | 1.2.0 | 1.25+ | 1.27.2 | R33 | --- | --- |
80+
| 1.4.0 | 1.1.0 | 1.25+ | 1.27.1 | R32 | --- | --- |
81+
| 1.3.0 | 1.1.0 | 1.25+ | 1.27.0 | R32 | --- | --- |
82+
| 1.2.0 | 1.0.0 | 1.23+ | 1.25.4 | R31 | --- | --- |
83+
| 1.1.0 | 1.0.0 | 1.23+ | 1.25.3 | n/a | --- | --- |
84+
| 1.0.0 | 0.8.1 | 1.23+ | 1.25.2 | n/a | --- | --- |
8585

8686
## SBOM (Software Bill of Materials)
8787

internal/controller/provisioner/objects.go

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,10 @@ const (
3333
defaultServiceType = corev1.ServiceTypeLoadBalancer
3434
defaultServicePolicy = corev1.ServiceExternalTrafficPolicyLocal
3535

36-
defaultNginxImagePath = "ghcr.io/nginx/nginx-gateway-fabric/nginx"
37-
defaultNginxPlusImagePath = "private-registry.nginx.com/nginx-gateway-fabric/nginx-plus"
38-
defaultImagePullPolicy = corev1.PullIfNotPresent
36+
defaultNginxImagePath = "ghcr.io/nginx/nginx-gateway-fabric/nginx"
37+
defaultNginxPlusImagePath = "private-registry.nginx.com/nginx-gateway-fabric/nginx-plus"
38+
defaultNginxPlusWafImagePath = "private-registry.nginx.com/nginx-gateway-fabric/nginx-plus-nap-waf"
39+
defaultImagePullPolicy = corev1.PullIfNotPresent
3940

4041
// WAF container defaults.
4142
defaultWAFEnforcerImagePath = "private-registry.nginx.com/nap/waf-enforcer"
@@ -1005,6 +1006,10 @@ func (p *NginxProvisioner) buildImage(nProxyCfg *graph.EffectiveNginxProxy) (str
10051006
image = defaultNginxPlusImagePath
10061007
}
10071008

1009+
if graph.WAFEnabledForNginxProxy(nProxyCfg) {
1010+
image = defaultNginxPlusWafImagePath
1011+
}
1012+
10081013
getImageAndPullPolicy := func(container ngfAPIv1alpha2.ContainerSpec) (string, string, corev1.PullPolicy) {
10091014
if container.Image != nil {
10101015
if container.Image.Repository != nil {

internal/controller/provisioner/objects_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1126,7 +1126,7 @@ func TestBuildNginxResourceObjects_WAF(t *testing.T) {
11261126
// Validate NGINX container (first container)
11271127
nginxContainer := template.Spec.Containers[0]
11281128
g.Expect(nginxContainer.Name).To(Equal("nginx"))
1129-
g.Expect(nginxContainer.Image).To(Equal(fmt.Sprintf("%s:1.0.0", defaultNginxImagePath)))
1129+
g.Expect(nginxContainer.Image).To(Equal(fmt.Sprintf("%s:1.0.0", defaultNginxPlusWafImagePath)))
11301130

11311131
// Check NGINX container has WAF volume mounts
11321132
wafVolumeMountNames := []string{

0 commit comments

Comments
 (0)