nginx-gateway-fabric/build/Dockerfile.nginx at 688ebb63bdb37fb43619700e80167b896d026bca · nginx/nginx-gateway-fabric · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# syntax=docker/dockerfile:1.20
FROM scratch AS nginx-files

# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub

FROM nginx:1.29.3-alpine-otel

# renovate: datasource=github-tags depName=nginx/agent
ARG NGINX_AGENT_VERSION=v3.6.1
ARG NJS_DIR
ARG NGINX_CONF_DIR
ARG BUILD_AGENT

# Fixes for CVEs; can be removed once base image is updated
RUN apk update && apk add --no-cache 'libpng>=1.6.53-r0' 'ssl_client>=1.37.0-r20' 'busybox-binsh>=1.37.0-r20'

RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
    printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
    && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION#v}

RUN apk add --no-cache bash \
    && mkdir -p /usr/lib/nginx/modules \
    # forward request and error logs to docker log collector
    && ln -sf /dev/stdout /var/log/nginx/access.log \
    && ln -sf /dev/stderr /var/log/nginx/error.log

COPY build/entrypoint.sh /agent/entrypoint.sh
COPY ${NJS_DIR}/ /usr/lib/nginx/modules/njs/
COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf
COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf
COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf

# Create empty /run/.containerenv file so agent can identify that it's running in a container
RUN mkdir -p /run && touch /run/.containerenv

RUN chown -R 101:1001 /etc/nginx /var/cache/nginx

LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}"

USER 101:1001

ENTRYPOINT ["/agent/entrypoint.sh"]