Dockerfile and container start updated (#131)

fabriziofiorucci · web-flow · commit 944b50be8fa1 · 2024-01-09T14:37:29.000-09:00
* Added API Connectivity Manager 1.5.0 support

* Ownership fix

* Startup script fix

* NGINX App Protect WAF updates

* Tested with NGINX Instance Manager 2.9.1

* Added docker-compose support

* Tested with NGINX Instance Manager 2.10.0 and Security Monitoring 1.4.0

* Tested with NGINX Instance Manager 2.10.0 and API Connectivity Manager 1.5.0

* Tested with API Connectivity Manager 1.6.0

* Tested with API Connectivity Manager 1.6.0

* README updated

* Added support for NGINX Instance Manager 2.10.1 and App Delivery Manager 4.0.0

* Fixed NGINX App Protect detection bug for NGINX Instance Manager 2.10.0+

* Fixed agent syslog receiver bug

* README updated

* Tested with NGINX Instance Manager 2.11.0 and Security Monitoring 1.5.0

* Tested with NGINX Instance Manager 2.11.0

* Tested with NGINX API Connectivity Manager 1.7.0

* Tested with NGINX Instance Manager 2.12.0 and Security Monitoring 1.6.0

* Tested with API Connectivity Manager 1.8.0

* Tested with API Connectivity Manager 1.8.0

* Tested with NGINX Instance Manager 2.12.0

* Dockerfile updated

* Support for NGINX Instance Manager 2.13

* Tested with NGINX Instance Manager 2.13

* Tested with NIM 2.14.0 and SM 1.7.0

* Tested with NIM 2.14.0 and SM 1.7.0

* Tested with NGINX Instance Manager 2.14.0

* Tested with NGINX Instance Manager 2.14.0

* Tested with NGINX App Protect compiler v4.583.0

* Start script updated

* Advanced metrics support added

* Advanced metrics support added

* Removed Application Delivery Manger, tested with NGINX Instance Manager 2.15.0

* Removed devportal, tested with NGINX Instance Manager 2.15.0

* Removed API Connectivity Manager

* Dockerfile and container start updated

---------

Signed-off-by: 65397 &lt;fiorucci@oasi.asti.it&gt;
diff --git a/nginx-agent-docker/Dockerfile b/nginx-agent-docker/Dockerfile
@@ -8,7 +8,9 @@ RUN	apt-get -y update \
 	&& apt-get -y install apt-transport-https lsb-release ca-certificates wget gnupg2 curl debian-archive-keyring iproute2 \
 	&& mkdir -p /deployment /etc/ssl/nginx \
 	&& addgroup --system --gid 20983 nginx \
-	&& adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 20983 nginx
+	&& adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 20983 nginx \
+        && wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq \
+        && chmod +x /usr/bin/yq
 
 # Use certificate and key from kubernetes secret
 RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
@@ -38,7 +40,9 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
 	&& usermod nginx -G nginx-agent \
 
 # NGINX Instance Manager agent installation
-	&& bash -c 'curl -k $NMS_URL/install/nginx-agent | sh' && echo "Agent installed from NMS"
+	&& if [ `curl -o /dev/null -sk -w "%{http_code}\n" $NMS_URL/install/nginx-agent` = 200 ] ; then \
+	bash -c 'curl -k $NMS_URL/install/nginx-agent | sh' && echo "NGINX Agent installed"; else \
+	bash -c 'export DATAPLANE_KEY="placeholder" && curl -k $NMS_URL/nginx-agent/install | sh || :' && echo "NGINX Agent installed"; fi
 
 # Startup script
 COPY ./container/start.sh /deployment/
diff --git a/nginx-agent-docker/container/start.sh b/nginx-agent-docker/container/start.sh
@@ -27,24 +27,25 @@ if [[ ! -z "$NIM_TAGS" ]]; then
    PARM="${PARM} --tags $NIM_TAGS"
 fi
 
+if [[ ! -z "$NIM_TOKEN" ]]; then
+      yq -i '
+	.server.token=strenv(NIM_TOKEN)
+	' /etc/nginx-agent/nginx-agent.conf
+fi
+
 if [[ "$NIM_ADVANCED_METRICS" == "true" ]]; then
    if [ $OLD_AGENT == "false" ]
    then
-      EXTRA_EXTENSIONS="- advanced-metrics"
-
-      cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf
-
-# Advanced metrics
-advanced_metrics:
-  socket_path: /var/run/nginx-agent/advanced-metrics.sock
-  aggregation_period: 1s
-  publishing_period: 3s
-  table_sizes_limits:
-    staging_table_max_size: 1000
-    staging_table_threshold: 1000
-    priority_table_max_size: 1000
-    priority_table_threshold: 1000
-__EOT__
+      yq -i '
+	.advanced_metrics.socket_path="/var/run/nginx-agent/advanced-metrics.sock" |
+	.advanced_metrics.aggregation_period="1s" |
+	.advanced_metrics.publishing_period="3s" |
+	.advanced_metrics.table_sizes_limits.staging_table_max_size=1000 |
+	.advanced_metrics.table_sizes_limits.staging_table_threshold=1000 |
+	.advanced_metrics.table_sizes_limits.priority_table_max_size=1000 |
+	.advanced_metrics.table_sizes_limits.priority_table_threshold= 1000 |
+	.extensions += ["advanced-metrics"]
+	' /etc/nginx-agent/nginx-agent.conf
    fi
 fi
 
@@ -53,21 +54,15 @@ if [[ "$NAP_WAF" == "true" ]]; then
    then
       PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514"
    else
-      EXTRA_EXTENSIONS=$EXTRA_EXTENSIONS"\n- nginx-app-protect\n- nap-monitoring"
-
-      cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf
-
-# NGINX App Protect Monitoring config
-nap_monitoring:
-  # Buffer size for collector. Will contain log lines and parsed log lines
-  collector_buffer_size: 50000
-  # Buffer size for processor. Will contain log lines and parsed log lines
-  processor_buffer_size: 50000
-  # Syslog server IP address the collector will be listening to
-  syslog_ip: "127.0.0.1"
-  # Syslog server port the collector will be listening to
-  syslog_port: 514
-__EOT__
+      export FQDN=127.0.0.1
+
+      yq -i '
+	.nap_monitoring.collector_buffer_size=50000 |
+	.nap_monitoring.processor_buffer_size=50000 |
+	.nap_monitoring.syslog_ip=strenv(FQDN) |
+	.nap_monitoring.syslog_port=514 |
+	.extensions += ["nginx-app-protect","nap-monitoring"]
+	' /etc/nginx-agent/nginx-agent.conf
    fi
 
    su - nginx -s /bin/bash -c "/opt/app_protect/bin/bd_agent &"
@@ -85,24 +80,12 @@ if [[ "$NAP_WAF_PRECOMPILED_POLICIES" == "true" ]]; then
    then
       PARM="${PARM} --nginx-app-protect-precompiled-publication"
    else
-      cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf
-
-# Enable NGINX App Protect WAF precompiled policies
-nginx_app_protect:
-  precompiled_publication: true
-__EOT__
+      yq -i '
+	.nginx_app_protect.precompiled_publication=true
+	' /etc/nginx-agent/nginx-agent.conf
    fi
 fi
 
 fi
 
-if [[ "$EXTRA_EXTENSIONS" != "" ]]; then
-  cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf
-
-# Enable extensions
-extensions:
-`echo -e $EXTRA_EXTENSIONS | sed "s/^/\ \ /g"`
-__EOT__
-fi
-
 sg nginx-agent "/usr/bin/nginx-agent $PARM"
diff --git a/nginx-agent-docker/manifests/1.nginx-with-agent.yaml b/nginx-agent-docker/manifests/1.nginx-with-agent.yaml
@@ -28,6 +28,8 @@ spec:
             value: "nginx-nim2.nginx-nim2"
           - name: NIM_GRPC_PORT
             value: "443"
+          - name: NIM_TOKEN
+            value: "XYZ"
           - name: NIM_INSTANCEGROUP
             value: "lab"
           - name: NIM_TAGS
