Added nginx-agent-docker on debian-bullseye (#81)

* Added nginx-agent-docker

* Changed base image to Debian bullseye

* Update nginx-agent-docker/Dockerfile

Thank you

Co-authored-by: Luca Comellini <[email protected]>
Signed-off-by: 65397 <[email protected]>

* Update nginx-agent-docker/Dockerfile

Co-authored-by: Luca Comellini <[email protected]>
Signed-off-by: 65397 <[email protected]>

* Update nginx-agent-docker/Dockerfile

Co-authored-by: Luca Comellini <[email protected]>
Signed-off-by: 65397 <[email protected]>

* Update nginx-agent-docker/Dockerfile

Co-authored-by: Luca Comellini <[email protected]>
Signed-off-by: 65397 <[email protected]>

---------

Signed-off-by: 65397 <[email protected]>
Co-authored-by: Luca Comellini <[email protected]>

Author: fabriziofiorucci

README.md

@@ -17,6 +17,8 @@ utilizing *fleet* and *etcd*.
 
 *   **mysql-galera-demo**: This demo uses NGINX Plus as a TCP load balancer for a MySQL Galera cluster consisting of two mysqld servers. It does round-robin load balancing between the 2 mysqld servers and also does active health checks using an xinetd script running on port 9200 inside each mysqld container.
 
+*   **nginx-agent-docker**: This demo helps building a docker image to deploy NGINX Plus and NGINX Agent for NGINX Management Suite, with optional support for NGINX App Protect WAF and NGINX Developer Portal for API Connectivity Manager
+
 *   **nginx-hello**: NGINX running as webserver in a docker container that serves a simple page containing the container's hostname, IP address and port
 
 *   **nginx-hello-nonroot**: NGINX running as webserver with non root privilege in a docker container that serves a simple page containing the container's hostname, IP address and port

nginx-agent-docker/Dockerfile

@@ -0,0 +1,59 @@
+FROM debian:bullseye-slim
+
+ARG NMS_URL
+ARG DEVPORTAL=false
+ARG NAP_WAF=false
+
+# Initial packages setup
+RUN	apt-get -y update \
+	&& apt-get -y install -y apt-transport-https lsb-release ca-certificates wget gnupg2 curl \
+# NGINX Instance Manager agent setup
+	&& mkdir -p /deployment /etc/ssl/nginx \
+# Agent installation
+	&& bash -c 'curl -k $NMS_URL/install/nginx-agent | sh' && echo "Agent installed from NMS"
+
+# Startup script
+COPY ./container/start.sh /deployment/
+
+# Download certificate and key from the customer portal (https://account.f5.com)
+# and copy to the build context
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+	--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+	set -x \
+# Startup script
+	&& chmod +x /deployment/start.sh && touch /.dockerenv \
+# Install prerequisite packages:
+	&& apt-get -y update \
+	&& apt-get -y install debian-archive-keyring \
+	&& wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \
+	&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \
+	&& wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \
+	&& apt-get -y update \
+	&& apt-get -y install nginx-plus nginx-plus-module-njs nginx-plus-module-prometheus \
+
+# Optional NGINX App Protect WAF
+	&& if [ "$NAP_WAF" = "true" ] ; then \
+	wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null \
+	&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect.list \
+	&& printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" >> /etc/apt/sources.list.d/nginx-app-protect.list \
+	&& apt-get -y update \
+	&& apt-get -y install app-protect app-protect-attack-signatures; fi \
+
+# Optional API Connectivity Manager DevPortal
+# https://docs.nginx.com/nginx-management-suite/admin-guides/installation/on-prem/install-guide/
+	&& if [ "$DEVPORTAL" = "true" ] ; then \
+	printf "deb https://pkgs.nginx.com/nms/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nms.list \
+	&& apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ABF5BD827BD9BF62 \
+	&& apt-get -y update \
+	&& apt-get -y install nginx-devportal nginx-devportal-ui \
+	&& echo 'DB_TYPE="sqlite"' | tee -a /etc/nginx-devportal/devportal.conf \
+	&& echo 'DB_PATH="/var/lib/nginx-devportal"' | tee -a /etc/nginx-devportal/devportal.conf; fi \
+
+# Forward request logs to Docker log collector
+	&& ln -sf /dev/stdout /var/log/nginx/access.log \
+	&& ln -sf /dev/stderr /var/log/nginx/error.log
+
+EXPOSE 80
+STOPSIGNAL SIGTERM
+
+CMD /deployment/start.sh

nginx-agent-docker/README.md

@@ -0,0 +1,90 @@
+# NGINX Plus and NGINX Agent - Docker image builder
+
+## Description
+
+This repository can be used to build a docker image with NGINX Plus and NGINX Instance Manager Agent (https://docs.nginx.com/nginx-instance-manager/).
+
+## Tested releases
+
+This repository has been tested with NGINX agent for:
+
+- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0
+- API Connectivity Manager 1.4.0
+- NGINX App Protect WAF 4.100.1+
+
+## Prerequisites
+
+- Linux host running Docker to build the image
+- NGINX Plus license
+- A running [NGINX Instance Manager](https://docs.nginx.com/nginx-instance-manager/) instance
+- [API Connectivity Manager](https://docs.nginx.com/nginx-management-suite/acm/about/architecture/) if building with support for Developer Portal
+- Openshift/Kubernetes cluster
+
+## Building the docker image
+
+The install script can be used to build the Docker image using automated or manual agent install:
+
+```
+$ ./scripts/build.sh 
+NGINX Plus & NGINX Instance Manager agent Docker image builder
+
+ This tool builds a Docker image to run NGINX Plus and NGINX Instance Manager agent
+
+ === Usage:
+
+ ./scripts/build.sh [options]
+
+ === Options:
+
+ -h                     - This help
+ -t [target image]      - The Docker image to be created
+ -C [file.crt]          - Certificate to pull packages from the official NGINX repository
+ -K [file.key]          - Key to pull packages from the official NGINX repository
+ -n [URL]               - NGINX Instance Manager URL to fetch the agent
+ -d                     - Build support for NGINX API Gateway Developer Portal
+ -w                     - Add NGINX App Protect WAF
+
+ === Examples:
+
+ NGINX Plus and NGINX Agent image:
+ ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-with-agent:2.7.0 -n https://nim.f5.ff.lan
+
+ NGINX Plus, NGINX App Protect WAF and NGINX Agent image:
+ ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-with-agent:2.7.0 -w -n https://nim.f5.ff.lan
+
+ NGINX Plus, Developer Portal support and NGINX Agent image:
+ ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-with-agent:2.7.0-devportal -d -n https://nim.f5.ff.lan 
+```
+
+1. Clone this repository
+2. Get your license certificate and key to fetch NGINX Management Suite packages from NGINX repository
+3. [Install](https://docs.nginx.com/nginx-management-suite/) and start NGINX Management Suite / NGINX Instance Manager
+4. Build the Docker image using:
+
+```
+$ ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-with-agent:automated -n https://ubuntu.ff.lan
+```
+
+the build script will push the image to your private registry once build is complete.
+
+- the `-d` flag can be used to build a Docker image to run NGINX Plus in [Developer Portal](https://docs.nginx.com/nginx-management-suite/admin-guides/installation/on-prem/install-guide/#install-developer-portal) mode for [API Connectivity Manager](https://docs.nginx.com/nginx-management-suite/acm/about/architecture/)
+- the `-w` flag can be used to include NGINX App Protect WAF support in the docker image
+
+### Running the docker image
+
+1. Edit `manifests/1.nginx-nim.yaml` and specify the correct image by modifying the `image:` line, and set the following environment variables. Default values for `NIM_HOST` and `NIM_GRPC_PORT` can be used if NGINX Instance Manager is deployed using https://github.com/nginxinc/NGINX-Demos/tree/master/nginx-nms-docker
+  - `NIM_HOST` - NGINX Instance Manager hostname/IP address
+  - `NIM_GRPC_PORT` - NGINX Instance Manager gRPC port.
+  - `NIM_INSTANCEGROUP` - instance group for the NGINX Kubernetes Deployment
+  - `NIM_TAGS` - comma separated list of tags for the NGINX Kubernetes Deployment
+  - `NAP_WAF` - set to `"true"` to enable NGINX App Protect WAF (docker image built using `-w`)
+  - `NAP_WAF_PRECOMPILED_POLICIES` - set to `"true"` to enable NGINX App Protect WAF precompiled policies (docker image built using `-w`)
+
+2. Start and stop using
+
+```
+$ ./scripts/nginxWithAgentStart.sh start
+$ ./scripts/nginxWithAgentStart.sh stop
+```
+
+3. After startup NGINX Plus instances will register to NGINX Instance Manager and will be displayed on the "instances" dashboard

nginx-agent-docker/container/start.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+nginx
+sleep 2
+
+PARM="--server-grpcport $NIM_GRPC_PORT --server-host $NIM_HOST"
+
+if [[ ! -z "$NIM_INSTANCEGROUP" ]]; then
+   PARM="${PARM} --instance-group $NIM_INSTANCEGROUP"
+fi
+
+if [[ ! -z "$NIM_TAGS" ]]; then
+   PARM="${PARM} --tags $NIM_TAGS"
+fi
+
+if [[ "$NAP_WAF" == "true" ]]; then
+   PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514"
+fi
+
+if [[ "$NAP_WAF_PRECOMPILED_POLICIES" == "true" ]]; then
+   PARM="${PARM} --nginx-app-protect-precompiled-publication"
+fi
+
+if [[ "$ACM_DEVPORTAL" == "true" ]]; then
+   nginx-devportal server &
+fi
+
+nginx-agent $PARM

nginx-agent-docker/manifests/1.nginx-with-agent.yaml

@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-nim
+  namespace: nim-test
+  labels:
+    app: nginx-nim
+spec:
+  selector:
+    matchLabels:
+      app: nginx-nim
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nginx-nim
+    spec:
+      containers:
+      - name: nginx-nim
+        image: your.registry.tld/nginx-with-nim2-agent:tag
+        imagePullPolicy: Always
+        ports:
+        - name: http
+          containerPort: 80
+        env:
+          - name: NIM_HOST
+            # Default value to use if NGINX Instance Manager is installed using https://github.com/nginxinc/NGINX-Demos/tree/master/nginx-nms-docker or https://github.com/fabriziofiorucci/NGINX-NMS-Docker
+            value: "nginx-nim2.nginx-nim2"
+          - name: NIM_GRPC_PORT
+            value: "443"
+          - name: NIM_INSTANCEGROUP
+            value: "lab"
+          - name: NIM_TAGS
+            value: "preprod,devops"
+
+          # Optional if NGINX App Protect WAF is available in the docker image - set to "true" to enable
+          #- name: NAP_WAF
+          #  value: "true"
+          #- name: NAP_WAF_PRECOMPILED_POLICIES
+          #  value: "true"
+
+          # Optional if API Connectivity Manager Developer Portal is available in the docker image - set to "true" to enable
+          #- name: ACM_DEVPORTAL
+          #  value: "true"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-nim
+  namespace: nim-test
+  labels:
+    app: nginx-nim
+spec:
+  ports:
+  - name: http
+    port: 80
+  - name: api
+    port: 8080
+  selector:
+    app: nginx
+  type: ClusterIP
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-nim
+  namespace: nim-test
+  annotations:
+    nginx.org/proxy-connect-timeout: "30s"
+    nginx.org/proxy-read-timeout: "20s"
+    nginx.org/client-max-body-size: "4m"
+    nginx.com/health-checks: "true"
+  labels:
+    app: nginx-nim
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: nim-test-nim.f5.ff.lan
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nginx
+                port:
+                  number: 80

nginx-agent-docker/scripts/build.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-docker/#docker_plus
+
+BANNER="NGINX Plus & NGINX Instance Manager agent Docker image builder\n\n
+This tool builds a Docker image to run NGINX Plus and NGINX Instance Manager agent\n\n
+=== Usage:\n\n
+$0 [options]\n\n
+=== Options:\n\n
+-h\t\t\t- This help\n
+-t [target image]\t- The Docker image to be created\n
+-C [file.crt]\t\t- Certificate to pull packages from the official NGINX repository\n
+-K [file.key]\t\t- Key to pull packages from the official NGINX repository\n
+-n [URL]\t\t- NGINX Instance Manager URL to fetch the agent\n
+-d\t\t\t- Build support for NGINX API Gateway Developer Portal\n
+-w\t\t\t- Add NGINX App Protect WAF\n\n
+=== Examples:\n\n
+NGINX Plus and NGINX Agent image:\n
+  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-with-agent:2.7.0 -n https://nim.f5.ff.lan\n\n
+NGINX Plus, NGINX App Protect WAF and NGINX Agent image:\n
+  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-with-agent:2.7.0 -w -n https://nim.f5.ff.lan\n\n
+NGINX Plus, Developer Portal support and NGINX Agent image:\n
+  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-with-agent:2.7.0-devportal -d -n https://nim.f5.ff.lan
+\n"
+
+while getopts 'ht:C:K:a:n:dw' OPTION
+do
+	case "$OPTION" in
+		h)
+			echo -e $BANNER
+			exit
+		;;
+		t)
+			IMAGENAME=$OPTARG
+		;;
+		C)
+			NGINX_CERT=$OPTARG
+		;;
+		K)
+			NGINX_KEY=$OPTARG
+		;;
+		n)
+			NMSURL=$OPTARG
+		;;
+		d)
+			DEVPORTAL=true
+		;;
+		w)
+			NAP_WAF=true
+		;;
+	esac
+done
+
+if [ -z "$1" ]
+then
+	echo -e $BANNER
+	exit
+fi
+
+if [ -z "${IMAGENAME}" ]
+then
+        echo "Docker image name is required"
+        exit
+fi
+
+if [ -z "${NMSURL}" ]
+then
+        echo "NGINX Instance Manager URL is required"
+        exit
+fi
+
+if ([ -z "${NGINX_CERT}" ] || [ -z "${NGINX_KEY}" ])
+then
+        echo "NGINX certificate and key are required for automated installation"
+        exit
+fi
+
+echo "=> Target docker image is $IMAGENAME"
+
+if [ ! -z "${DEVPORTAL}" ]
+then
+echo "=> Building with Developer Portal support"
+fi
+
+if [ ! -z "${NAP_WAF}" ]
+then
+echo "=> Building with NGINX App Protect WAF support"
+fi
+
+DOCKER_BUILDKIT=1 docker build --no-cache -f Dockerfile \
+	--secret id=nginx-key,src=$NGINX_KEY --secret id=nginx-crt,src=$NGINX_CERT \
+	--build-arg NMS_URL=$NMSURL --build-arg DEVPORTAL=$DEVPORTAL --build-arg NAP_WAF=$NAP_WAF -t $IMAGENAME .
+
+echo "=> Build complete for $IMAGENAME"
+docker push $IMAGENAME

nginx-agent-docker/scripts/nginxWithAgentStart.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+NAMESPACE=nim-test
+
+case $1 in
+	'start')
+		kubectl create namespace $NAMESPACE
+
+		pushd manifests/
+		kubectl apply -n $NAMESPACE -f .
+		popd
+	;;
+	'stop')
+		kubectl delete namespace $NAMESPACE
+	;;
+	*)
+		echo "$0 [start|stop]"
+		exit
+	;;
+esac