nginx · shaun-nx · Sep 29, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
diff --git a/Makefile b/Makefile
@@ -7,6 +7,7 @@ NJS_DIR = internal/controller/nginx/modules/src
 KIND_CONFIG_FILE = $(SELF_DIR)config/cluster/kind-cluster.yaml
 NGINX_DOCKER_BUILD_PLUS_ARGS = --secret id=nginx-repo.crt,src=$(SELF_DIR)nginx-repo.crt --secret id=nginx-repo.key,src=$(SELF_DIR)nginx-repo.key
 BUILD_AGENT = local
+BASE_IMAGE ?= nginx:1.29.1-alpine-otel
 
 PROD_TELEMETRY_ENDPOINT = oss.edge.df.f5.com:443
 # the telemetry related variables below are also configured in goreleaser.yml
@@ -43,6 +44,7 @@ HELM_SCHEMA_VERSION = 0.18.1
 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric
 NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx
 NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus
+BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi
 TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0
 TARGET ?= local## The target of the build. Possible values: local and container
 OUT_DIR ?= build/out## The folder where the binary will be stored
@@ -52,7 +54,7 @@ PLUS_ENABLED ?= false
 PLUS_LICENSE_FILE ?= $(SELF_DIR)license.jwt
 PLUS_USAGE_ENDPOINT ?=## The N+ usage endpoint. For development, please set to the N1 staging endpoint.
 
-override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT)
+override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) --build-arg BASE_IMAGE=$(BASE_IMAGE)
 
 .DEFAULT_GOAL := help
 
@@ -90,7 +92,7 @@ build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for pr
 
 .PHONY: build-nginx-image
 build-nginx-image: check-for-docker ## Build the custom nginx image
-	docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
+	docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
 
 .PHONY: build-prod-nginx-plus-image
 build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx plus image for production

diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx
@@ -0,0 +1,48 @@
+# syntax=docker/dockerfile:1.18
+FROM scratch AS nginx-files
+
+# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
+ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key
+ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo
+ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo
+
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+# FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9
+
+# renovate: datasource=github-tags depName=nginx/agent
+ARG NGINX_AGENT_VERSION=v3.3.1
+ARG NJS_DIR
+ARG NGINX_CONF_DIR
+ARG BUILD_AGENT
+
+# c-ares is required by for nginx-module-otel. It is not available in ubi9-minimal by default
+RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \
+    --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \
+    --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
+    rpm --import /tmp/nginx_signing.key \
+    && microdnf update -y \
+    && microdnf --nodocs install -y shadow-utils subscription-manager \
+    # microdnf --enablerepo=appstream install -y c-ares \
+    && microdnf --nodocs install -y nginx \
+    && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \
+    && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \
+    && microdnf clean all
+
+RUN mkdir -p /usr/lib/nginx/modules \
+    # forward request and error logs to docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
+
+COPY build/entrypoint.sh /agent/entrypoint.sh
+COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js
+COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf
+COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf
+COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf
+
+RUN chown -R 101:1001 /etc/nginx /var/cache/nginx
+
+LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}"
+
+USER 101:1001
+
+ENTRYPOINT ["/agent/entrypoint.sh"]
diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus
@@ -0,0 +1,5 @@
+# syntax=docker/dockerfile:1.18
+FROM scratch AS nginx-files
+
+# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
+ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
diff --git a/build/ubi/repos/agent.repo b/build/ubi/repos/agent.repo
@@ -0,0 +1,6 @@
+[agent]
+name=agent repo
+baseurl=https://packages.nginx.org/nginx-agent/centos/9/$basearch/
+gpgcheck=1
+enabled=1
+module_hotfixes=true
diff --git a/build/ubi/repos/nginx.repo b/build/ubi/repos/nginx.repo
@@ -0,0 +1,6 @@
+[nginx]
+name=nginx repo
+baseurl=https://packages.nginx.org/nginx/mainline/centos/9/$basearch/
+gpgcheck=1
+enabled=1
+module_hotfixes=true