8000 Integrate NAP WAF v5 (#5698) · nginx/kubernetes-ingress@adcdd3d · GitHub
[go: up one dir, main page]
Skip to content

Commit adcdd3d

Browse files
shaun-nxshaun-nx
authored
Integrate NAP WAF v5 (#5698)
1 parent 2e99813 commit adcdd3d

25 files changed

+665
-55
lines changed

.github/config/config-plus-gcr-release

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
22
declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
33
declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
4+
declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
45
declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
56
declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl& E7F5 quot;)
67
declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")

.github/config/config-plus-nginx

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com
22
export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
33
declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
44
declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
5+
declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
56
declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
67
declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
78
declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")

.github/scripts/copy-images.sh

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,19 +28,25 @@ TARGET_OSS_IMAGE_PREFIX=${TARGET_OSS_IMAGE_PREFIX:-"nginx-ic/nginx-ingress"}
2828

2929
SOURCE_PLUS_IMAGE_PREFIX=${SOURCE_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
3030
SOURCE_NAP_WAF_IMAGE_PREFIX=${SOURCE_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
31+
SOURCE_NAP_WAFV5_IMAGE_PREFIX=${SOURCE_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap-v5/nginx-plus-ingress"}
3132
SOURCE_NAP_DOS_IMAGE_PREFIX=${SOURCE_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
3233
SOURCE_NAP_WAF_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
34+
SOURCE_NAP_WAFV5_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAFV5_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap-v5/nginx-plus-ingress"}
3335

3436
TARGET_PLUS_IMAGE_PREFIX=${TARGET_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
3537
TARGET_NAP_WAF_IMAGE_PREFIX=${TARGET_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
38+
TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
3639
TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
3740
TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
41+
TARGET_NAP_WAFV5_DOS_IMAGE_PREFIX=${TARGET_NAP_WAFV5_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap-v5/nginx-plus-ingress"}
3842

3943
declare -a OSS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine")
4044
declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
4145
declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
46+
declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
4247
declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
4348
declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
49+
declare -a NAP_WAFV5_DOS_TAG_POSTFIX_LIST=()
4450
declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
4551

4652
CONFIG_PATH=${CONFIG_PATH:-~/.nic-release/config}
@@ -152,6 +158,29 @@ if $PUBLISH_WAF; then
152158
done
153159
fi
154160
done
161+
for postfix in "${NAP_WAFV5_TAG_POSTFIX_LIST[@]}"; do
162+
image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAFV5_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
163+
echo "Processing image ${image}"
164+
new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
165+
if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
166+
echo " ECR is immutable & tag ${new_tag} already exists, skipping."
167+
else
168+
echo " Pushing image NAP WAFV5 ${new_tag}..."
169+
if ! $DRY_RUN; then
170+
skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
171+
fi
172+
for tag in "${ADDITIONAL_TAGS[@]}"; do
173+
if [ -z "${tag}" ]; then
174+
continue
175+
fi
176+
additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${tag}${postfix}
177+
echo " Pushing image NAP WAFV5 ${additional_tag}..."
178+
if ! $DRY_RUN; then
179+
skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
180+
fi
181+
done
182+
fi
183+
done
155184
else
156185
echo "Skipping Publish Plus WAF flow"
157186
fi

.github/workflows/build-plus.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -123,8 +123,8 @@ jobs:
123123
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
124124
with:
125125
images: |
126-
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress
127-
name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ inputs.publish-nginx-reqistry && ! contains(inputs.target, 'aws') }}
126+
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress
127+
name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ inputs.publish-nginx-reqistry && ! contains(inputs.target, 'aws') }}
128128
name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ inputs.publish-aws-market-place && contains(inputs.target, 'aws') }}
129129
flavor: |
130130
suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}},onlatest=true
@@ -205,6 +205,7 @@ jobs:
205205
PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}
206206
IC_VERSION=${{ github.ref_type == 'tag' && steps.meta.outputs.version || 'CI' }}
207207
${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
208+
${{ contains(inputs.image, 'v5') && 'WAF_VERSION=v5' || '' }}
208209
${{ (contains(inputs.target, 'aws') && inputs.nap_modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
209210
secrets: |
210211
"nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"

.github/workflows/ci.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -739,6 +739,22 @@ jobs:
739739
target: goreleaser
740740
platforms: "linux/amd64"
741741
nap_modules: waf
742+
- image: alpine-plus-nap-v5-fips
743+
target: goreleaser
744+
platforms: "linux/amd64"
745+
nap_modules: waf
746+
- image: debian-plus-nap-v5
747+
target: goreleaser
748+
platforms: "linux/amd64"
749+
nap_modules: waf
750+
- image: ubi-9-plus-nap-v5
751+
target: goreleaser
752+
platforms: "linux/amd64"
753+
nap_modules: waf
754+
- image: ubi-8-plus-nap-v5
755+
target: goreleaser
756+
platforms: "linux/amd64"
757+
nap_modules: waf
742758
uses: ./.github/workflows/build-plus.yml
743759
with:
744760
platforms: ${{ matrix.platforms }}

Makefile

Lines changed: 33 additio 23CB ns & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,8 @@ export DOCKER_BUILDKIT = 1
3131

3232
.PHONY: help
3333
help: Makefile ## Display this help
34-
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "; printf "Usage:\n\n make \033[36m<target>\033[0m [VARIABLE=value...]\n\nTargets:\n\n"}; {printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'
 E7F5
35-
@grep -E '^(override )?[a-zA-Z_-]+ \??\+?= .*? ## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*? ## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'
34+
@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "; printf "Usage:\n\n make \033[36m<target>\033[0m [VARIABLE=value...]\n\nTargets:\n\n"}; {printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'
35+
@grep -E '^(override )?[a-zA-Z0-9_-]+ \??\+?= .*? ## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*? ## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'
3636

3737
.PHONY: all
3838
all: test lint verify-codegen update-crds debian-image
@@ -141,6 +141,13 @@ alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alp
141141
alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS)
142142
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips --build-arg NGINX_AGENT=$(NGINX_AGENT)
143143

144+
.PHONY: alpine-image-nap-v5-plus-fips
145+
alpine-image-nap-v5-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAFv5 and FIPS)
146+
$(DOCKER_CMD) $(PLUS_ARGS) \
147+
--build-arg BUILD_OS=alpine-plus-nap-v5-fips \
148+
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
149+
--build-arg WAF_VERSION=v5
150+
144151
.PHONY: debian-image-plus
145152
debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus)
146153
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus
@@ -149,6 +156,14 @@ debian-image-plus: build ## Create Docker image for Ingress Controller (Debian w
149156
debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF)
150157
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf --build-arg NGINX_AGENT=$(NGINX_AGENT)
151158

159+
.PHONY: debian-image-nap-v5-plus
160+
debian-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAFv5)
161+
$(DOCKER_CMD) $(PLUS_ARGS) \
162+
--build-arg BUILD_OS=debian-plus-nap-v5 \
163+
--build-arg NAP_MODULES=waf \
164+
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
165+
--build-arg WAF_VERSION=v5
166+
152167
.PHONY: debian-image-dos-plus
153168
debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect DoS)
154169
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=dos
@@ -169,6 +184,14 @@ ubi-image-plus: build ## Create Docker image for Ingress Controller (UBI with NG
169184
ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF)
170185
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf --build-arg NGINX_AGENT=$(NGINX_AGENT)
171186

187+
.PHONY: ubi-image-nap-v5-plus
188+
ubi-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5)
189+
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \
190+
--build-arg BUILD_OS=ubi-9-plus-nap-v5 \
191+
--build-arg NAP_MODULES=waf \
192+
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
193+
--build-arg WAF_VERSION=v5
194+
172195
.PHONY: ubi-image-dos-plus
173196
ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect DoS)
174197
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=dos
@@ -177,6 +200,14 @@ ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI wit
177200
ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and DoS)
178201
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=waf,dos --build-arg NGINX_AGENT=$(NGINX_AGENT)
179202

203+
.PHONY: ubi-image-nap-dos-v5-plus
204+
ubi-image-nap-dos-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAFv5 and DoS)
205+
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \
206+ 600E
--build-arg BUILD_OS=ubi-8-plus-nap-v5 \
207+
--build-arg NAP_MODULES=waf,dos \
208+
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
209+
--build-arg WAF_VERSION=v5
210+
180211
.PHONY: all-images ## Create all the Docker images for Ingress Controller
181212
all-images: alpine-image alpine-image-plus alpine-image-plus-fips alpine-image-nap-plus-fips debian-image debian-image-plus debian-image-nap-plus debian-image-dos-plus debian-image-nap-dos-plus ubi-image ubi-image-plus ubi-image-nap-plus ubi-image-dos-plus ubi-image-nap-dos-plus
182213

0 commit comments

Comments
 (0)
0