feat: make default NGINX Plus Dockerfile use buildkit

Dockerfile.oss

@@ -1,63 +1,46 @@
-FROM nginx:1.27.0@sha256:56b388b0d79c738f4cf51bbaf184a14fab19337f4819ceb2cae7d94100262de8
+FROM nginx:1.27.0@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e
 
 # NJS env vars
-ENV NJS_VERSION     0.8.4
-ENV NJS_RELEASE     2~bookworm
+ENV NJS_VERSION=0.8.4
+ENV NJS_RELEASE=2~bookworm
 
 # Proxy cache env vars
-ENV PROXY_CACHE_MAX_SIZE "10g"
-ENV PROXY_CACHE_INACTIVE "60m"
-ENV PROXY_CACHE_SLICE_SIZE "1m"
-ENV PROXY_CACHE_VALID_OK "1h"
-ENV PROXY_CACHE_VALID_NOTFOUND "1m"
-ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
+ENV PROXY_CACHE_MAX_SIZE=10g
+ENV PROXY_CACHE_INACTIVE=60m
+ENV PROXY_CACHE_SLICE_SIZE=1m
+ENV PROXY_CACHE_VALID_OK=1h
+ENV PROXY_CACHE_VALID_NOTFOUND=1m
+ENV PROXY_CACHE_VALID_FORBIDDEN=30s
 
 # CORS env vars
-ENV CORS_ENABLED 0
-ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
+ENV CORS_ENABLED=0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
 
 # S3 proxy env vars
-ENV DIRECTORY_LISTING_PATH_PREFIX ""
-ENV STRIP_LEADING_DIRECTORY_PATH ""
-ENV PREFIX_LEADING_DIRECTORY_PATH ""
-
-# We modify the nginx base image by:
-# 1. Explicitly install the version of njs coded in the environment variable above.
-# 2. Adding configuration files needed for proxying private S3 buckets
-# 3. Adding a directory for proxied objects to be stored
+ENV DIRECTORY_LISTING_PATH_PREFIX=""
+ENV STRIP_LEADING_DIRECTORY_PATH=""
+ENV PREFIX_LEADING_DIRECTORY_PATH=""
+
+# We modify the NGINX OSS base image by:
+# 1. Explicitly installing the version of njs coded in the environment variable above.
+# 2. Adding configuration files needed for proxying private S3 buckets.
+# 3. Adding a directory for proxied objects to be stored.
 # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
 
 RUN set -x \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
-    && \
-    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
-    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
-    export GNUPGHOME="$(mktemp -d)"; \
-    found=''; \
-    for server in \
-        hkp://keyserver.ubuntu.com:80 \
-        pgp.mit.edu \
-    ; do \
-        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
-        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
-    done; \
-    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
-    rm -rf "$GNUPGHOME"; \
-    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \
-    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
+    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
     apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y \
       libedit2 \
       nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
     && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 
-COPY common/etc /etc
 COPY oss/etc /etc
+COPY common/etc /etc
 COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
 
-RUN mkdir -p /var/cache/nginx/s3_proxy \
+RUN set -x \
+    && mkdir -p /var/cache/nginx/s3_proxy \
     && chown nginx:nginx /var/cache/nginx/s3_proxy \
     && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;

Dockerfile.plus

@@ -1,77 +1,102 @@
-FROM debian:bookworm-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395
+ARG RELEASE=bookworm
+FROM debian:${RELEASE}-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395
 
-ENV NGINX_PLUS_VERSION   30-2
-ENV NGINX_VERSION        1.25.1
-ENV NJS_VERSION          30+0.8.0-1
-ENV XSLT_VERSION         30-1
+# NJS env vars
+ENV NGINX_VERSION=32
+ENV NGINX_PKG_RELEASE=1~${RELEASE}
+ENV NJS_VERSION=0.8.4
+ENV NJS_PKG_RELEASE=1~${RELEASE}
 
-ENV PROXY_CACHE_MAX_SIZE "10g"
-ENV PROXY_CACHE_INACTIVE "60m"
-ENV PROXY_CACHE_SLICE_SIZE "1m"
-ENV PROXY_CACHE_VALID_OK "1h"
-ENV PROXY_CACHE_VALID_NOTFOUND "1m"
-ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
-ENV CORS_ENABLED 0
-ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
-ENV DIRECTORY_LISTING_PATH_PREFIX ""
-ENV STRIP_LEADING_DIRECTORY_PATH ""
-ENV PREFIX_LEADING_DIRECTORY_PATH ""
+# Proxy cache env vars
+ENV PROXY_CACHE_MAX_SIZE=10g
+ENV PROXY_CACHE_INACTIVE=60m
+ENV PROXY_CACHE_SLICE_SIZE=1m
+ENV PROXY_CACHE_VALID_OK=1h
+ENV PROXY_CACHE_VALID_NOTFOUND=1m
+ENV PROXY_CACHE_VALID_FORBIDDEN=30s
 
-COPY plus/etc/ssl /etc/ssl
-COPY plus/usr /usr
+# CORS env vars
+ENV CORS_ENABLED=0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS=""
 
-# Copy files from the OSS NGINX Docker container such that the container
-# startup is the same.
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
-COPY common/docker-entrypoint.d /docker-entrypoint.d/
-COPY plus/docker-entrypoint.d /docker-entrypoint.d/
-# Add NGINX Plus package repository keyring
-COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg
+# S3 proxy env vars
+ENV DIRECTORY_LISTING_PATH_PREFIX=""
+ENV STRIP_LEADING_DIRECTORY_PATH=""
+ENV PREFIX_LEADING_DIRECTORY_PATH=""
 
-RUN set -eux \
-    export DEBIAN_FRONTEND=noninteractive; \
-    # create nginx user/group first, to be consistent throughout docker variants
-    addgroup --system --gid 101 nginx; \
-    adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \
-    apt-get -qq update; \
-    apt-get -qq upgrade --yes; \
-    apt-get -qq install --yes \
-      ca-certificates \
-      curl \
-      libedit2; \
-    sh -a /usr/local/bin/add_nginx_plus_repo.sh; \
-    rm /usr/local/bin/add_nginx_plus_repo.sh; \
-    apt-get -qq update; \
-    export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \
-    apt-get -qq install --yes --no-install-recommends --no-install-suggests \
-        nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \
-        nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \
-        nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \
-        gettext-base; \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/*; \
-    # forward request and error logs to docker log collector
-    ln -sf /dev/stdout /var/log/nginx/access.log; \
-    ln -sf /dev/stderr /var/log/nginx/error.log; \
-    chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh
+# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
+# 1. Explicitly installing the version of njs coded in the environment variable above.
+# 2. Adding configuration files needed for proxying private S3 buckets.
+# 3. Adding a directory for proxied objects to be stored.
+# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy them to the build context
+RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \
+    --mount=type=secret,id=nginx-key,dst=nginx-repo.key \
+    set -x \
+# Create nginx user/group first, to be consistent throughout Docker variants
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg2 lsb-release \
+    && \
+    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
+    NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    found=''; \
+    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
+        for server in \
+            hkp://keyserver.ubuntu.com:80 \
+            pgp.mit.edu \
+        ; do \
+            echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
+            gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+        done; \
+        test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
+    done; \
+    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+    rm -rf "$GNUPGHOME"; \
+    apt-get remove --purge --auto-remove -y gnupg2 && rm -rf /var/lib/apt/lists/* \
+# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5)
+    && nginxPackages=" \
+        nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
+        nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \
+        nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
+    " \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
+    && mkdir -p /etc/ssl/nginx \
+    && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
+    && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \
+    && apt-get remove --purge -y lsb-release \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
+    && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \
+# Forward request logs to Docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
 
 EXPOSE 80
 
 STOPSIGNAL SIGTERM
 
 CMD ["nginx", "-g", "daemon off;"]
 
-# NGINX Docker image setup complete, everything below is specific for
-# the S3 Gateway use case.
-
+# Copy files from the OSS NGINX Docker container such that the container
+# startup is the same.
 COPY plus/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh
+COPY common/docker-entrypoint.sh /docker-entrypoint.sh
+COPY common/docker-entrypoint.d /docker-entrypoint.d/
+COPY plus/docker-entrypoint.d /docker-entrypoint.d/
+
+RUN set -x \
+    && mkdir -p /var/cache/nginx/s3_proxy \
+    && chown nginx:nginx /var/cache/nginx/s3_proxy \
+    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
 
-RUN set -eux \
-    export DEBIAN_FRONTEND=noninteractive; \
-    mkdir -p /var/cache/nginx/s3_proxy; \
-    chown nginx:nginx /var/cache/nginx/s3_proxy; \
-    chmod -R +x /docker-entrypoint.d/*
+ENTRYPOINT ["/docker-entrypoint.sh"]

README.md

@@ -76,9 +76,7 @@ test/                            contains automated tests for validang that the
 Dockerfile.oss                   Dockerfile that configures NGINX OSS to act as a S3 gateway
 Dockerfile.plus                  Dockerfile that builds a NGINX Plus instance that is configured
                                  equivelently to NGINX OSS - instance is configured to act as a
-                                 S3 gateway with NGINX Plus additional features enabled
-Dockerfile.buildkit.plus         Dockerfile with the same configuration as Dockerfile.plus, but
-                                 with support for hiding secrets using Docker's Buildkit
+                                 S3 gateway with NGINX Plus additional features enabled. The NGINX Plus license is parsed via Docker's Buildkit built-in support for secrets
 Dockerfile.latest-njs            Dockerfile that inherits from the last build of the gateway and
                                  then builds and installs the latest version of njs from source
 Dockerfile.unprivileged          Dockerfiles that inherits from the last build of the gateway and