oracle-cne · oracle-cne-bot · Aug 21, 2025
diff --git a/build-images.sh b/build-images.sh
@@ -0,0 +1,51 @@
+#!/bin/bash -x
+#
+# Copyright (c) 2024-2025, Oracle and/or its affiliates. All rights reserved.
+#
+
+VERSION="${1}"
+ARCH="${2}"
+
+NGINX_IMAGE_NAME=ingress-nginx
+CONTROLLER_IMAGE_NAME=ingress-nginx-controller
+REGISTRY=container-registry.oracle.com/olcne
+NGINX_IMAGE=${REGISTRY}/${NGINX_IMAGE_NAME}:v${VERSION}
+
+# Build nginx image and its modules, use that as base image for building controller image
+podman build --rm=true --pull \
+   --build-arg https_proxy=${https_proxy} \
+   --build-arg http_proxy=${https_proxy} \
+   --tag=${NGINX_IMAGE} \
+   -f images/nginx/rootfs/Dockerfile \
+   images/nginx/rootfs
+
+# Build ingress-nginx-controller image
+cp -f ./LICENSE ./THIRD_PARTY_LICENSES.txt rootfs/
+make ARCH=${ARCH} build image \
+  -e BASE_IMAGE=${NGINX_IMAGE} \
+  -e TAG=v${VERSION} \
+  -e REGISTRY=${REGISTRY} \
+  DOCKER_IN_DOCKER_ENABLED=true
+docker save -o ingress-nginx-controller.tar ${REGISTRY}/ingress-nginx-controller:v${VERSION}
+
+# kube-webhook-certgen
+pushd images/kube-webhook-certgen/rootfs
+go build -a -o kube-webhook-certgen main.go
+popd
+
+docker build --no-cache --pull \
+   --build-arg https_proxy=${https_proxy} \
+   -t ${REGISTRY}/kube-webhook-certgen:v${VERSION} . \
+   -f ./olm/builds/Dockerfile.kube-webhook-certgen
+docker save -o kube-webhook-certgen.tar ${REGISTRY}/kube-webhook-certgen:v${VERSION}
+
+# custom-error-pages
+pushd images/custom-error-pages/rootfs
+go get . && CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags "-s -w" -o nginx-errors main.go metrics.go
+popd
+
+docker build --no-cache --pull \
+   --build-arg https_proxy=${https_proxy} \
+   -t container-registry.oracle.com/olcne/custom-error-pages:v${VERSION} . \
+   -f ./olm/builds/Dockerfile.custom-error-pages
+docker save -o custom-error-pages.tar container-registry.oracle.com/olcne/custom-error-pages:v${VERSION}
diff --git a/buildrpm/Dockerfile.patch b/buildrpm/Dockerfile.patch
@@ -0,0 +1,86 @@
+diff --git images/nginx/rootfs/Dockerfile images/nginx/rootfs/Dockerfile
+index 8f6bab137..b9a0fd06b 100644
+--- images/nginx/rootfs/Dockerfile
++++ images/nginx/rootfs/Dockerfile
+@@ -11,17 +11,18 @@
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-FROM alpine:3.21 AS builder
++FROM container-registry.oracle.com/os/oraclelinux:9-slim as builder
+
+ COPY . /
++COPY oracle-epel-ol9.repo /etc/yum.repos.d/
++COPY oracle-codeready-ol9.repo /etc/yum.repos.d/
+
+-RUN apk update \
+-  && apk upgrade \
+-  && apk add -U bash --no-cache \
+-  && /build.sh
++RUN  /build.sh
+
+ # Use a multi-stage build
+-FROM alpine:3.21
++FROM container-registry.oracle.com/os/oraclelinux:9-slim
++COPY oracle-epel-ol9.repo /etc/yum.repos.d/
++COPY oracle-codeready-ol9.repo /etc/yum.repos.d/
+
+ ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
+
+@@ -29,33 +30,32 @@ ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1
+ ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
+
+ COPY --from=builder /usr/local /usr/local
+-COPY --from=builder /usr/lib/libopentelemetry* /usr/local/lib
+-COPY --from=builder /opt /opt
++COPY --from=builder /lib64/libopentelemetry* /lib64
++#COPY --from=builder /opt /opt
++COPY --from=builder /usr/local/lib /lib64
+ COPY --from=builder /etc/nginx /etc/nginx
+
+-RUN apk update \
+-  && apk upgrade \
+-  && apk add -U --no-cache \
+-  bash \
+-  openssl \
+-  pcre \
+-  zlib \
+-  ca-certificates \
+-  patch \
+-  yajl \
+-  lmdb \
+-  libxml2 \
+-  libmaxminddb \
+-  yaml-cpp \
+-  dumb-init \
+-  tzdata \
+-  grpc-cpp \
+-  libprotobuf \
+-  abseil-cpp-crc-cpu-detect \
+-  abseil-cpp-vlog-config-internal \
++RUN microdnf update -y && \
++    microdnf install --nodocs \
++    bash \
++    openssl \
++    pcre \
++    zlib \
++    curl \
++    ca-certificates \
++    patch \
++    yajl \
++    lmdb \
++    libxml2 \
++    libmaxminddb \
++    yaml-cpp \
++    tzdata \
++    grpc-cpp \
++    abseil-cpp \
++    abseil-cpp-devel \
+   && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
+-  && adduser -S -D -H -u 101 -h /usr/local/nginx \
+-  -s /sbin/nologin -G www-data -g www-data www-data \
++  && groupadd -rg 101 www-data \
++  && useradd --system --uid 101 --home /usr/local/nginx --shell /sbin/nologin --gid www-data www-data \
+   && bash -eu -c ' \
+   writeDirs=( \
+   /var/log/nginx \
diff --git a/buildrpm/Dockerfile_controller.patch b/buildrpm/Dockerfile_controller.patch
@@ -0,0 +1,50 @@
+diff --git rootfs/Dockerfile rootfs/Dockerfile
+index 9b7753b5d..6743a522e 100644
+--- rootfs/Dockerfile
++++ rootfs/Dockerfile
+@@ -33,17 +33,17 @@ LABEL build_id="${BUILD_ID}"
+
+ WORKDIR  /etc/nginx
+
+-RUN apk update \
+-  && apk upgrade \
+-  && apk add --no-cache \
++RUN microdnf install \
+     diffutils \
+-  && rm -rf /var/cache/apk/*
++  && microdnf clean all \
++  && rm -rf /var/cache/* /var/lib/rpm/* /var/lib/dnf/*
+
+ COPY --chown=www-data:www-data etc /etc
+
+ COPY --chown=www-data:www-data bin/${TARGETARCH}/dbg /
+ COPY --chown=www-data:www-data bin/${TARGETARCH}/nginx-ingress-controller /
+ COPY --chown=www-data:www-data bin/${TARGETARCH}/wait-shutdown /
++COPY ./LICENSE ./THIRD_PARTY_LICENSES.txt /usr/share/licenses/
+
+ # Fix permission during the build to avoid issues at runtime
+ # with volumes (custom templates)
+@@ -67,14 +67,11 @@ RUN bash -xeu -c ' \
+   && echo "/lib:/usr/lib:/usr/local/lib:/modules_mount/etc/nginx/modules/otel" > /etc/ld-musl-x86_64.path
+
+
+-RUN apk add --no-cache libcap \
+-  && setcap    cap_net_bind_service=+ep /nginx-ingress-controller \
++RUN \
++  setcap       cap_net_bind_service=+ep /nginx-ingress-controller \
+   && setcap -v cap_net_bind_service=+ep /nginx-ingress-controller \
+   && setcap    cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \
+   && setcap -v cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \
+-  && setcap    cap_net_bind_service=+ep /usr/bin/dumb-init \
+-  && setcap -v cap_net_bind_service=+ep /usr/bin/dumb-init \
+-  && apk del libcap \
+   && ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx
+
+ USER www-data
+@@ -83,5 +80,5 @@ USER www-data
+ RUN  ln -sf /dev/stdout /var/log/nginx/access.log \
+   && ln -sf /dev/stderr /var/log/nginx/error.log
+
+-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
++#ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+ CMD ["/nginx-ingress-controller"]
diff --git a/buildrpm/Makefile.patch b/buildrpm/Makefile.patch
@@ -0,0 +1,24 @@
+diff --git Makefile Makefile
+index 964889532..37fcca37a 100644
+--- Makefile
++++ Makefile
+@@ -73,7 +73,7 @@ image: clean-image ## Build image for a particular arch.
+ 		--build-arg TARGETARCH="$(ARCH)" \
+ 		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+ 		--build-arg BUILD_ID="$(BUILD_ID)" \
+-		-t $(REGISTRY)/controller:$(TAG) rootfs
++		-t $(REGISTRY)/ingress-nginx-controller:$(TAG) rootfs
+
+ .PHONY: gosec
+ gosec:
+@@ -93,8 +93,8 @@ image-chroot: clean-chroot-image ## Build image for a particular arch.
+
+ .PHONY: clean-image
+ clean-image: ## Removes local image
+-	echo "removing old image $(REGISTRY)/controller:$(TAG)"
+-	@docker rmi -f $(REGISTRY)/controller:$(TAG) || true
++	echo "removing old image $(REGISTRY)/ingress-nginx-controller:$(TAG)"
++	@docker rmi -f $(REGISTRY)/ingress-nginx-controller:$(TAG) || true
+
+
+ .PHONY: clean-chroot-image
diff --git a/buildrpm/build.sh.patch b/buildrpm/build.sh.patch
@@ -0,0 +1,141 @@
+diff --git images/nginx/rootfs/build.sh images/nginx/rootfs/build.sh
+index e352be10c..fcd045161 100755
+--- images/nginx/rootfs/build.sh
++++ images/nginx/rootfs/build.sh
+@@ -134,52 +134,58 @@ get_src()
+
+ # install required packages to build
+ # Dependencies from "ninja" and below are OTEL dependencies
+-apk add \
++microdnf install --setopt=ol9_appstream.exclude=golang \
+   bash \
+   gcc \
++  gcc-c++ \
++  krb5-libs \
++  libstdc++ \
++  libstdc++-devel \
++  libstdc++-static \
+   clang \
+-  libc-dev \
++  glibc-devel \
+   make \
++  cmake3 \
+   automake \
+-  openssl-dev \
+-  pcre-dev \
+-  zlib-dev \
+-  linux-headers \
+-  libxslt-dev \
+-  gd-dev \
+-  perl-dev \
+-  libedit-dev \
++  openssl-devel \
++  pcre-devel \
++  zlib-devel \
++  libxslt-devel \
++  gd-devel \
++  perl-devel \
++  libedit-devel \
+   mercurial \
+-  alpine-sdk \
+   findutils \
+   curl \
+   ca-certificates \
+   patch \
+-  libaio-dev \
++  libaio-devel \
+   openssl \
+   cmake \
+   util-linux \
+-  lmdb-tools \
++  lmdb \
+   wget \
+-  curl-dev \
+-  libprotobuf \
+-  git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \
++  libcurl-devel \
++  protobuf \
++  git pkgconf flex bison doxygen yajl-devel lmdb-devel libtool autoconf libxml2 libxml2-devel \
+   python3 \
+-  libmaxminddb-dev \
++  libmaxminddb-devel \
+   bc \
+   unzip \
+   dos2unix \
+   yaml-cpp \
+-  coreutils \
+-  ninja \
+-  gtest-dev \
++  coreutils-single \
++  ninja-build \
++  gtest-devel \
+   git \
+-  build-base \
+   pkgconfig \
+-  c-ares-dev \
+-  re2-dev \
+-  grpc-dev \
+-  protobuf-dev
++  c-ares-devel \
++  re2-devel \
++  grpc-devel \
++  protobuf-devel \
++  abseil-cpp \
++  abseil-cpp-devel \
++  lua-devel
+
+ # apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev
+
+@@ -318,12 +324,22 @@ git config --global --add core.compression -1
+
+ # Get Brotli source and deps
+ cd "$BUILD_PATH"
++# Temporary fix for https://github.com/google/ngx_brotli/issues/156 based on https://github.com/wallarm/ingress/commit/47222d411a8b66699836ca1c716b2d281f2a0295
+ git clone --depth=100 https://github.com/google/ngx_brotli.git
+ cd ngx_brotli
+ # https://github.com/google/ngx_brotli/issues/156
+ git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52
+ git submodule init
+ git submodule update
++cd deps/brotli
++mkdir out && cd out
++
++includ_m64=''
++if [[ ${ARCH} == "x86_64" ]]; then
++  includ_m64='-m64'
++fi
++cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast $includ_m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast $includ_m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
++cmake --build . --config Release --target brotlienc
+
+ cd "$BUILD_PATH"
+ git clone --depth=1 https://github.com/ssdeep-project/ssdeep
+@@ -516,6 +532,7 @@ WITH_MODULES=" \
+   --without-http_scgi_module \
+   --with-cc-opt="${CC_OPT}" \
+   --with-ld-opt="${LD_OPT}" \
++  --without-pcre2 \
+   --user=www-data \
+   --group=www-data \
+   ${WITH_MODULES}
+@@ -524,6 +541,9 @@ make
+ make modules
+ make install
+
++# LD_LIBRARY_PATH not working, so, copy manually
++cp -f /usr/local/lib/lib*.so* /lib64/ 2>/dev/null
++
+ # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/8933841f0a7f8737f61404cf0a64acf6b079c8a5...main
+ export OPENTELEMETRY_CONTRIB_COMMIT=8933841f0a7f8737f61404cf0a64acf6b079c8a5
+ cd "$BUILD_PATH"
+@@ -618,7 +638,10 @@ writeDirs=( \
+   /var/log/nginx \
+ );
+
+-adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data
++#adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data
++getent group
++groupadd -rg 102 www-data && \
++  useradd --system --uid 102 --home /usr/local/nginx --shell /sbin/nologin --gid www-data www-data
+
+ for dir in "${writeDirs[@]}"; do
+   mkdir -p ${dir};