-
Notifications
You must be signed in to change notification settings - Fork 186
Expand file tree
/
Copy pathDockerfile.nginxplus
More file actions
80 lines (66 loc) · 3.56 KB
/
Dockerfile.nginxplus
File metadata and controls
80 lines (66 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# syntax=docker/dockerfile:1.20
FROM scratch AS nginx-files
# NGINX Plus repo and key files (must be provided at build time)
ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-plus.repo
ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key
ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo
FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:c69c8a1d3255d5adaa30de233293d76fa3d903a5583c5933e26567d4e4c6f877 AS ubi9-packages
FROM redhat/ubi9-minimal:9.7-1764794109 AS ubi-nginx-plus
ARG NGINX_PLUS_VERSION=R36
# renovate: datasource=github-tags depName=nginx/agent
ARG NGINX_AGENT_VERSION=v3.6.1
ARG NJS_DIR
ARG NGINX_CONF_DIR
ARG BUILD_AGENT
LABEL name="F5 NGINX Gateway Fabric NGINX Plus" \
maintainer="kubernetes@nginx.com" \
vendor="F5 NGINX" \
summary="NGINX Gateway Fabric" \
description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \
org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \
io.k8s.description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \
io.openshift.tags="nginx,gateway,kubernetes,openshift"
COPY --link --chown=101:1001 LICENSE /licenses/
# Install NGINX Plus and modules
RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos.d/nginx-plus.repo \
--mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \
--mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
--mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \
--mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
# Import NGINX signing key
rpm --import /tmp/nginx_signing.key \
# Install c-ares from the dependencies image (contains required libs)
&& rpm -Uvh /ubi-bin/c-ares-*.rpm \
# Create nginx user with consistent UID/GID
&& groupadd -g 1001 nginx \
&& useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \
# Install NGINX Plus and modules (njs, otel)
&& microdnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \
&& microdnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \
# Install nginx-agent
&& microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \
# Clean up
&& microdnf clean all \
&& rm -rf /var/cache/yum
# Configure directories and logging
RUN mkdir -p /var/run/nginx /usr/lib64/nginx/modules \
# Forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
# Copy default html files to a writable location
RUN mkdir -p /etc/nginx/html \
&& cp /usr/share/nginx/html/* /etc/nginx/html/
# Set proper permissions for nginx user
RUN chown -R 101:1001 /etc/nginx /var/cache/nginx
# Copy configuration files and scripts
COPY build/entrypoint.sh /agent/entrypoint.sh
COPY ${NJS_DIR}/ /usr/lib64/nginx/modules/njs/
COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf
COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf
COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf
# Create empty /run/.containerenv file so agent can identify that it's running in a container
RUN mkdir -p /run && touch /run/.containerenv
# Switch to non-root user
USER 101:1001
ENTRYPOINT ["/agent/entrypoint.sh"]