apply patches to template locally

Signed-off-by: Timofei Larkin <[email protected]>

Author: lllamnyp

images/controller/Dockerfile

@@ -5,7 +5,8 @@ ARG TAG=$TAG
 RUN apk add --no-cache git make bash
 RUN git clone --branch controller-${TAG} --depth 1 https://github.com/kubernetes/ingress-nginx /src
 WORKDIR /src
-RUN wget -O- https://github.com/kubernetes/ingress-nginx/pull/11843.diff | git apply -
+COPY patches/* .
+RUN git apply *.diff
 RUN make build DOCKER_IN_DOCKER_ENABLED=true ARCH=amd64
 RUN apk add --no-cache libcap
 RUN setcap cap_net_bind_service+ep /src/rootfs/bin/amd64/nginx-ingress-controller
@@ -17,9 +18,6 @@ USER root
 # required packages to build lua and run luarocks
 RUN apk add --no-cache make gcc musl-dev
 
-COPY lua/* /etc/nginx/lua/
-COPY patches /patches
-
 ARG LUA_ROCKS_VER="3.0.0"
 RUN cd /tmp \
  && wget https://luarocks.org/releases/luarocks-${LUA_ROCKS_VER}.tar.gz \
@@ -32,9 +30,12 @@ RUN cd /tmp \
  && rm -rf /tmp/* \
  && mkdir -p /tmp/nginx && chown www-data: /tmp/nginx \
  && luarocks install lua-protobuf 0.4.1-1 \
- && luarocks install lua-iconv 7-3 \
- && patch /etc/nginx/template/nginx.tmpl < /patches/nginx-tmpl.patch
+ && luarocks install lua-iconv 7-3
 
 USER www-data
 
 COPY --from=builder /src/rootfs/bin/amd64/nginx-ingress-controller /nginx-ingress-controller
+
+COPY --chown=www-data:www-data ./etc/nginx /etc/nginx
+
+LABEL org.opencontainers.image.source="https://github.com/cozystack/ingress-nginx-with-protobuf-exporter"

images/controller/PROVENANCE.md

@@ -0,0 +1,9 @@
+# Description
+
+This build of the NGINX Ingress controller is built with:
+
+* [kubernetes/[email protected]](https://github.com/kubernetes/ingress-nginx/tree/controller-v1.11.2) ([permalink](https://github.com/kubernetes/ingress-nginx/tree/d3bb2b4f8757816f1d7c6268e02e433887373a3b)).
+* [Lua modules](./etc/nginx/lua) for exporting metrics and for geohashing ([source](https://github.com/deckhouse/deckhouse/tree/49744cd7e11f86aacf493be4dec391901348ddda/modules/402-ingress-nginx/images/controller-1-10/rootfs/etc/nginx/lua)).
+* A patched `nginx.conf` [template](./etc/nginx/template/nginx.tmpl). The patch is based on [deckhouse/deckhouse@91482468](https://raw.githubusercontent.com/deckhouse/deckhouse/91482468489526bc59623bd7fbd31228cd6a6b22/modules/402-ingress-nginx/images/controller-1-10/patches/nginx-tmpl.patch) sans the HTTP3 features.
+* [kubernetes/ingress-nginx#11843](./patches/11843.diff) ([source](https://github.com/kubernetes/ingress-nginx/pull/11843)).
+* A [backport](./patches/13068.diff) for [CVE-2025-1974](https://github.com/advisories/GHSA-mgvx-rpfc-9mpv) and friends ([source](https://github.com/kubernetes/ingress-nginx/pull/13068)). Parts of this patch are already included in [`etc/nginx/template/nginx.tmpl`](./etc/nginx/template/nginx.tmpl). Patches for test files are omitted.

images/controller/etc/nginx/template/nginx.tmpl

@@ -12,6 +12,9 @@
 # setup custom paths that do not require root access
 pid {{ .PID }};
 
+# enables the use of “just-in-time compilation” for the regular expressions known by the time of configuration parsing
+pcre_jit on;
+
 {{ if $cfg.UseGeoIP2 }}
 load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
 {{ end }}
@@ -98,11 +101,11 @@ http {
         end
 
         {{ if $all.EnableMetrics }}
-        ok, res = pcall(require, "monitor")
+        ok, res = pcall(require, "pbmetrics")
         if not ok then
           error("require failed: " .. tostring(res))
         else
-          monitor = res
+          pbmetrics = res
         end
         {{ end }}
 
@@ -127,11 +130,9 @@ http {
     init_worker_by_lua_block {
         lua_ingress.init_worker()
         balancer.init_worker()
-        {{ if $all.EnableMetrics }}
-        monitor.init_worker({{ $all.MonitorMaxBatchSize }})
-        {{ end }}
 
         plugins.run()
+        pbmetrics.init_worker()
     }
 
     {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
@@ -415,6 +416,15 @@ http {
         {{ $reqUri }} 0;{{ end }}
         default 1;
     }
+    map $server_name $total_upstream_response_time {
+        default 0;
+    }
+    map $server_name $upstream_retries {
+        default 0;
+    }
+    map $server_name $formatted_status {
+        default $status;
+    }
 
     {{ if or $cfg.DisableAccessLog $cfg.DisableHTTPAccessLog }}
     access_log off;
@@ -955,14 +965,15 @@ stream {
             proxy_set_header       Host               $best_http_host;
 
             set $proxy_upstream_name {{ $upstreamName | quote }};
+            set $formatted_status $status;
+            set $upstream_retries "0";
+            set $total_upstream_response_time "0";
 
             rewrite                (.*) / break;
 
             proxy_pass            http://upstream_balancer;
             log_by_lua_block {
-                {{ if $enableMetrics }}
-                monitor.call()
-                {{ end }}
+                pbmetrics.call()
             }
         }
         {{ end }}
@@ -1010,10 +1021,13 @@ stream {
         {{ buildHTTPSListener $all $server.Hostname }}
 
         set $proxy_upstream_name "-";
+        set $formatted_status $status;
+        set $upstream_retries "0";
+        set $total_upstream_response_time "0";
 
         {{ if not ( empty $server.CertificateAuth.MatchCN ) }}
         {{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
-        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
+        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN | quote }} ) {
             return 403 "client certificate unauthorized";
         }
         {{ end }}
@@ -1172,6 +1186,10 @@ stream {
             proxy_set_header            X-Auth-Request-Redirect $request_uri;
             {{ end }}
 
+            {{ if not (contains $externalAuth.AuthSnippet "proxy_connect_timeout") }}
+            proxy_connect_timeout                   15s;
+            {{ end }}
+
             {{ if $externalAuth.AuthCacheKey }}
             proxy_buffering                         "on";
             {{ else }}
@@ -1219,7 +1237,7 @@ stream {
             set $target {{ changeHostPort $externalAuth.URL $authUpstreamName }};
             {{ else }}
             proxy_http_version {{ $location.Proxy.ProxyHTTPVersion }};
-            set $target {{ $externalAuth.URL }};
+            set $target {{ $externalAuth.URL | quote }};
             {{ end }}
             proxy_pass $target;
         }
@@ -1255,10 +1273,12 @@ stream {
             set $location_path  {{ $ing.Path | escapeLiteralDollar | quote }};
             set $global_rate_limit_exceeding n;
 
+            set $content_kind "";
+
             {{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }}
 
             {{ if $location.Mirror.Source }}
-            mirror {{ $location.Mirror.Source }};
+            mirror {{ $location.Mirror.Source | quote }};
             mirror_request_body {{ $location.Mirror.RequestBody }};
             {{ end }}
 
@@ -1285,11 +1305,9 @@ stream {
 
             log_by_lua_block {
                 balancer.log()
-                {{ if $all.EnableMetrics }}
-                monitor.call()
-                {{ end }}
 
                 plugins.run()
+                pbmetrics.call()
             }
 
             {{ if not $location.Logs.Access }}
@@ -1577,14 +1595,15 @@ stream {
 
         {{ if eq $server.Hostname "_" }}
         # health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }}
-        location {{ $all.HealthzURI }} {
+        location = {{ $all.HealthzURI }} {
 
             {{ if $all.Cfg.EnableOpentelemetry }}
             opentelemetry off;
             {{ end }}
 
             access_log off;
-            return 200;
+            proxy_set_header D8s-External-Check "True";
+            proxy_pass http://127.0.0.1:10254;
         }
 
         # this is required to avoid error if nginx is being monitored

images/controller/patches/13068-tmpl.diff

@@ -89,34 +89,3 @@ index ed052e4ecf..0e03007433 100644
  	}
 
  	return buffer.String()
-diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
-index 6b8e750b06..0a87de5ee9 100644
---- a/rootfs/etc/nginx/template/nginx.tmpl
-+++ b/rootfs/etc/nginx/template/nginx.tmpl
-@@ -879,7 +879,7 @@ stream {
- 
-         {{ if not ( empty $server.CertificateAuth.MatchCN ) }}
-         {{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
--        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
-+        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN | quote }} ) {
-             return 403 "client certificate unauthorized";
-         }
-         {{ end }}
-@@ -1082,7 +1082,7 @@ stream {
-             set $target {{ changeHostPort $externalAuth.URL $authUpstreamName }};
-             {{ else }}
-             proxy_http_version {{ $location.Proxy.ProxyHTTPVersion }};
--            set $target {{ $externalAuth.URL }};
-+            set $target {{ $externalAuth.URL | quote }};
-             {{ end }}
-             proxy_pass $target;
-         }
-@@ -1120,7 +1120,7 @@ stream {
-             {{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }}
- 
-             {{ if $location.Mirror.Source }}
--            mirror {{ $location.Mirror.Source }};
-+            mirror {{ $location.Mirror.Source | quote }};
-             mirror_request_body {{ $location.Mirror.RequestBody }};
-             {{ end }}
-