Update Debian to Bullseye and Alpine to 3.15

Author: lucacome

Makefile

@@ -73,7 +73,7 @@ debian-image-plus: build ## Create Docker image for Ingress Controller (nginx pl
 
 .PHONY: debian-image-nap-plus
 debian-image-nap-plus: build ## Create Docker image for Ingress Controller (nginx plus with nap)
-	$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg FILES=nap-common
+	$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg FILES=nap-common --build-arg DEBIAN_VERSION=buster-slim
 
 .PHONY: openshift-image
 openshift-image: build ## Create Docker image for Ingress Controller (ubi)

build/Dockerfile

@@ -3,6 +3,7 @@ ARG BUILD_OS=debian
 ARG NGINX_PLUS_VERSION=r26
 ARG UBI_VERSION=8
 ARG FILES=
+ARG DEBIAN_VERSION=bullseye-slim
 
 ############################################# Base image for Debian #############################################
 FROM nginx:1.21.6 AS debian
@@ -22,33 +23,36 @@ RUN apk add --no-cache libcap \
 
 
 ############################################# Base image for Alpine with NGINX Plus #############################################
-FROM alpine:3.13 as alpine-plus
+FROM alpine:3.15 as alpine-plus
 ARG NGINX_PLUS_VERSION
 
 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
 	wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
 	&& printf "%s\n" "https://pkgs.nginx.com/plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	# temp fix for CVE-2022-0778
+	&& apk upgrade --no-cache libretls \
 	&& apk add --no-cache libcap nginx-plus~${NGINX_PLUS_VERSION#r} nginx-plus-module-njs~${NGINX_PLUS_VERSION#r}
 
 
 ############################################# Base image for Debian with NGINX Plus #############################################
-FROM debian:buster-slim AS debian-plus
+FROM debian:${DEBIAN_VERSION} AS debian-plus
 ARG IC_VERSION
 ARG NGINX_PLUS_VERSION
+ARG BUILD_OS
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https libcap2-bin \
-	&& curl -sSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \
-	&& curl -sSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \
+	&& curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \
+	&& curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \
+	&& DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \
 	&& printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt\";" >> /etc/apt/apt.conf.d/90pkgs-nginx \
-	&& printf "%s\n" "deb https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION^^}/debian buster nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \
+	&& printf "%s\n" "deb https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION^^}/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \
 	&& apt-get update \
-	&& apt-get install --no-install-recommends --no-install-suggests -y \
-	nginx-plus-${NGINX_PLUS_VERSION} nginx-plus-module-njs-${NGINX_PLUS_VERSION} \
+	&& apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs \
 	&& apt-get purge --auto-remove -y apt-transport-https gnupg curl \
 	&& rm -rf /var/lib/apt/lists/*
 
@@ -62,14 +66,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y gnupg curl apt-transport-https \
-	&& curl -sSL https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_app_signing.gpg \
+	&& curl -fsSL https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_app_signing.gpg \
+	&& DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \
 	&& printf "%s\n" "deb https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION^^}/debian buster nginx-plus" \
-	"deb https://pkgs.nginx.com/app-protect-security-updates/debian buster nginx-plus" > /etc/apt/sources.list.d/nginx-app-protect.list \
+	"deb https://pkgs.nginx.com/app-protect-security-updates/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-app-protect.list \
 	&& apt-get update \
-	# searching apt-cache for the latest version of NAP package compatible with the $NGINX_PLUS_VERSION
-	&& module_version=$(apt-cache showpkg nginx-plus-module-appprotect | awk -v ver="nginx-plus-$NGINX_PLUS_VERSION" '{ if ($6 == ver) {print $1; exit}}') \
-	&& apt-get install --no-install-recommends --no-install-suggests -y nginx-plus-module-appprotect=${module_version} app-protect=${module_version} \
-	&& apt-get install --no-install-recommends --no-install-suggests -y app-protect-attack-signatures app-protect-threat-campaigns \
+	&& apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns \
 	&& apt-get purge --auto-remove -y apt-transport-https gnupg curl \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& rm /etc/apt/sources.list.d/nginx-app-protect.list

docs-web/technical-specifications.md

@@ -26,19 +26,19 @@ The supported architecture is x86-64.
       - Third-party modules
       - DockerHub image
     * - Debian-based image
-      - ``nginx:1.21.6``, which is based on ``debian:buster-slim``
+      - ``nginx:1.21.6``, which is based on ``debian:bullseye-slim``
       -
       - ``nginx/nginx-ingress:1.12.3``
     * - Alpine-based image
-      - ``nginx:1.21.6-alpine``, which is based on ``alpine:3.13``
+      - ``nginx:1.21.6-alpine``, which is based on ``alpine:3.15``
       -
       - ``nginx/nginx-ingress:1.12.3-alpine``
     * - Debian-based image with Opentracing
-      - ``nginx:1.21.6``, which is based on ``debian:buster-slim``
+      - ``nginx:1.21.6``, which is based on ``debian:bullseye-slim``
       - NGINX OpenTracing module, OpenTracing library, OpenTracing tracers for Jaeger, Zipkin and Datadog
       -
     * - Ubi-based image
-      - ``registry.access.redhat.com/ubi8/ubi:8.3``
+      - ``redhat/ubi8-minimal``
       -
       - ``nginx/nginx-ingress:1.12.3-ubi``
 ```
@@ -58,16 +58,16 @@ NGINX Plus images are not available through DockerHub.
       - Base image
       - Third-party modules
     * - Alpine-based image
-      - ``alpine:3.13``
+      - ``alpine:3.15``
       -
     * - Debian-based image
-      - ``debian:buster-slim``
+      - ``debian:bullseye-slim``
       -
     * - Debian-based image with Opentracing
-      - ``debian:buster-slim``
+      - ``debian:bullseye-slim``
       - NGINX Plus OpenTracing module, OpenTracing tracers for Jaeger, Zipkin and Datadog
     * - Ubi-based image
-      - ``registry.access.redhat.com/ubi8/ubi:8.3``
+      - ``redhat/ubi8-minimal``
       -
     * - Debian-based image with App Protect
       - ``debian:buster-slim``