Update pipeline to build and publish UBI images

.github/workflows/build.yml

@@ -6,6 +6,10 @@ on:
       platforms:
         required: true
         type: string
+      build_os:
+        required: false
+        type: string
+        default: ''
       image:
         required: true
         type: string
@@ -143,7 +147,7 @@ jobs:
       - name: Build Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
+          file: ${{ inputs.build_os != '' && format('build/{0}/Dockerfile{1}', inputs.build_os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') }}
           context: "."
           target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -161,6 +165,7 @@ jobs:
             NJS_DIR=internal/controller/nginx/modules/src
             NGINX_CONF_DIR=internal/controller/nginx/conf
             BUILD_AGENT=gha
+            BUILD_OS=${{ inputs.build_os }}
           secrets: |
             ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
             ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}

.github/workflows/ci.yml

@@ -234,10 +234,12 @@ jobs:
       matrix:
         image: [ngf, nginx]
         platforms: ["linux/arm64, linux/amd64"]
+        build_os: ["", ubi]
     uses: ./.github/workflows/build.yml
     with:
       image: ${{ matrix.image }}
       platforms: ${{ matrix.platforms }}
+      build_os: ${{ matrix.build_os }}
       tag: ${{ inputs.release_version || '' }}
       dry_run: ${{ inputs.dry_run || false}}
       runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
@@ -252,9 +254,14 @@ jobs:
     name: Build Plus images
     needs: [vars, binary]
     uses: ./.github/workflows/build.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        build_os: ["", ubi]
     with:
       image: plus
       platforms: "linux/arm64, linux/amd64"
+      build_os: ${{ matrix.build_os }}
       tag: ${{ inputs.release_version || '' }}
       dry_run: ${{ inputs.dry_run || false }}
       runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}

Makefile

@@ -43,6 +43,7 @@ HELM_SCHEMA_VERSION = 0.18.1
 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric
 NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx
 NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus
+BUILD_OS ?= ## The OS of the nginx image. Possible values: alpine and ubi
 NGINX_SERVICE_TYPE ?= NodePort## The type of the nginx service. Possible values: NodePort, LoadBalancer, ClusterIP
 PULL_POLICY ?= Never## The pull policy of the images. Possible values: Always, IfNotPresent, Never
 TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0
@@ -54,7 +55,7 @@ PLUS_ENABLED ?= false
 PLUS_LICENSE_FILE ?= $(SELF_DIR)license.jwt
 PLUS_USAGE_ENDPOINT ?=## The N+ usage endpoint. For development, please set to the N1 staging endpoint.
 
-override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT)
+override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) --build-arg BASE_IMAGE=$(BASE_IMAGE)
 
 .DEFAULT_GOAL := help
 
@@ -85,21 +86,21 @@ build-prod-ngf-image: build-ngf-image ## Build the NGF docker image for producti
 
 .PHONY: build-ngf-image
 build-ngf-image: check-for-docker build ## Build the NGF docker image
-	docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
+	docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
 
 .PHONY: build-prod-nginx-image
 build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for production
 
 .PHONY: build-nginx-image
 build-nginx-image: check-for-docker ## Build the custom nginx image
-	docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
+	docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
 
 .PHONY: build-prod-nginx-plus-image
 build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx plus image for production
 
 .PHONY: build-nginx-plus-image
 build-nginx-plus-image: check-for-docker ## Build the custom nginx plus image
-	docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS))  -f $(SELF_DIR)build/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
+	docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS))  -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
 
 .PHONY: check-for-docker
 check-for-docker: ## Check if Docker is installed

build/entrypoint.sh

@@ -40,12 +40,12 @@ fi
 nginx_pid=$!
 
 SECONDS=0
-
-while ! ps -ef | grep "nginx: master process" | grep -v grep; do
-    if ((SECONDS > 5)); then
+while [[ ! -f /var/run/nginx.pid ]] && [[ ! -f /var/run/nginx/nginx.pid ]]; do
+    if ((SECONDS > 30)); then
         echo "couldn't find nginx master process"
         exit 1
     fi
+    sleep 1
 done
 
 # start nginx-agent, pass args

build/ubi/Dockerfile

@@ -0,0 +1,30 @@
+# syntax=docker/dockerfile:1.18
+FROM golang:1.25 AS builder
+
+WORKDIR /go/src/github.com/nginx/nginx-gateway-fabric
+
+COPY go.mod go.sum /go/src/github.com/nginx/nginx-gateway-fabric/
+RUN go mod download
+
+COPY . /go/src/github.com/nginx/nginx-gateway-fabric
+RUN make build
+
+FROM golang:1.25 AS ca-certs-provider
+
+FROM redhat/ubi9-minimal:9.6 AS ngf-ubi-minimal
+# CA certs are needed for telemetry report so that NGF can verify the server's certificate.
+COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+USER 101:1001
+ARG BUILD_AGENT
+ENV BUILD_AGENT=${BUILD_AGENT}
+ENTRYPOINT [ "/usr/bin/gateway" ]
+
+FROM ngf-ubi-minimal AS container
+COPY --from=builder /go/src/github.com/nginxinc/nginx-gateway-fabric/build/out/gateway /usr/bin/gateway
+
+FROM ngf-ubi-minimal AS local
+COPY ./build/out/gateway /usr/bin/gateway
+
+FROM ngf-ubi-minimal AS goreleaser
+ARG TARGETARCH
+COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/gateway

build/ubi/Dockerfile.nginx

@@ -0,0 +1,74 @@
+# syntax=docker/dockerfile:1.18
+FROM scratch AS nginx-files
+
+# Repository and key files for UBI-based builds
+ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key
+ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo
+ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo
+
+FROM redhat/ubi9-minimal:9.6 AS ubi-minimal
+
+FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages
+
+FROM ubi-minimal AS ubi-nginx
+
+# renovate: datasource=github-tags depName=nginx/agent
+ARG NGINX_AGENT_VERSION=v3.3.1
+ARG NJS_DIR
+ARG NGINX_CONF_DIR
+ARG BUILD_AGENT
+
+LABEL name="F5 NGINX Gateway Fabric NGINX" \
+	maintainer="[email protected]" \
+	vendor="F5 NGINX Inc" \
+	summary="F5 NGINX for NGINX Gateway Fabric" \
+	description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \
+	org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \
+	io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \
+	io.openshift.tags="nginx,gateway,kubernetes,openshift"
+
+COPY --link --chown=101:1001 LICENSE /licenses/
+
+# Install NGINX with OTEL support using the same approach as NGINX IC
+RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
+    --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \
+    --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \
+    --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \
+    # Import NGINX signing key
+    rpm --import /tmp/nginx_signing.key \
+    # Install c-ares from the dependencies image (contains required libs)
+    && rpm -Uvh /ubi-bin/c-ares-*.rpm \
+    # Create nginx user with consistent UID/GID
+    && groupadd -g 1001 nginx \
+    && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \
+    # Install NGINX and modules including OTEL
+    && microdnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \
+    # Install nginx-agent
+    && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \
+    # Clean up (only remove what we can)
+    && microdnf clean all \
+    && rm -rf /var/cache/yum
+
+# Configure directories and logging
+RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \
+    # Forward request and error logs to docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \
+    # Set proper permissions for nginx user
+    && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx
+
+# Copy configuration files and scripts
+COPY build/entrypoint.sh /agent/entrypoint.sh
+COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js
+COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf
+COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf
+COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf
+
+# Set executable permissions
+RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh
+
+# Switch to non-root user
+USER 101:1001
+
+ENTRYPOINT ["/agent/entrypoint.sh"]

build/ubi/Dockerfile.nginxplus

@@ -0,0 +1,82 @@
+# syntax=docker/dockerfile:1.18
+FROM scratch AS nginx-files
+
+# NGINX Plus repo and key files (must be provided at build time)
+ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-plus.repo
+ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key
+ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo
+ADD --link --chown=101:1001 nginx-repo.crt nginx-repo.crt
+ADD --link --chown=101:1001 nginx-repo.key nginx-repo.key
+
+FROM redhat/ubi9-minimal:9.6 AS ubi-minimal
+
+FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages
+
+FROM ubi-minimal AS ubi-nginx-plus
+
+ARG NGINX_PLUS_VERSION=R35
+
+# renovate: datasource=github-tags depName=nginx/agent
+ARG NGINX_AGENT_VERSION=v3.3.1
+ARG NJS_DIR
+ARG NGINX_CONF_DIR
+ARG BUILD_AGENT
+
+LABEL name="F5 NGINX Gateway Fabric NGINX Plus" \
+	maintainer="[email protected]" \
+	vendor="F5 NGINX Inc" \
+	summary="F5 NGINX Plus for NGINX Gateway Fabric" \
+	description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \
+	org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \
+	io.k8s.description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \
+	io.openshift.tags="nginx,gateway,kubernetes,openshift"
+
+COPY --link --chown=101:1001 LICENSE /licenses/
+
+# Install NGINX Plus and modules
+RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos.d/nginx-plus.repo \
+    --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \
+    --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
+    --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \
+    --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    # Install shadow-utils for useradd and subscription-manager for repo access
+    microdnf --nodocs install -y shadow-utils subscription-manager \
+    && rpm --import /tmp/nginx_signing.key \
+    # Install c-ares from the dependencies image (contains required libs)
+    && rpm -Uvh /ubi-bin/c-ares-*.rpm \
+    # Create nginx user with consistent UID/GID
+    && groupadd -g 1001 nginx \
+    && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \
+    # Install NGINX Plus and modules (njs, otel)
+    && microdnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \
+    && microdnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \
+    # Install nginx-agent
+    && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \
+    # Clean up
+    && microdnf clean all \
+    && rm -rf /var/cache/yum
+
+# Configure directories and logging
+RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \
+    # Forward request and error logs to docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \
+    # Set proper permissions for nginx user
+    && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx
+
+# Copy configuration files and scripts
+COPY build/entrypoint.sh /agent/entrypoint.sh
+COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js
+COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf
+COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf
+COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf
+
+# Set executable permissions
+RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh
+
+# Switch to non-root user
+USER 101:1001
+
+ENTRYPOINT ["/agent/entrypoint.sh"]

build/ubi/repos/agent.repo

@@ -0,0 +1,6 @@
+[agent]
+name=agent repo
+baseurl=https://packages.nginx.org/nginx-agent/centos/9/$basearch/
+gpgcheck=1
+enabled=1
+module_hotfixes=true

build/ubi/repos/nginx.repo

@@ -0,0 +1,6 @@
+[nginx]
+name=nginx repo
+baseurl=https://packages.nginx.org/nginx/mainline/centos/9/$basearch/
+gpgcheck=1
+enabled=1
+module_hotfixes=true