From d852e65c7c2c242753a8d01b1fe0d87e3762feff Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Wed, 24 Jul 2024 15:43:12 +0100
Subject: [PATCH 1/7] bump versions of alpine fips modules (#5905)
---
build/Dockerfile | 8 ++++----
docs/content/technical-specifications.md | 8 ++++----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/build/Dockerfile b/build/Dockerfile
index 20184de840..3d42c34784 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -13,8 +13,8 @@ ARG WAF_VERSION=v4
FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0@sha256:1a77df60fd641db9e6a9323c8a484f642eb0e276df06104b592ecfd515bc1aef AS opentracing-lib
FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0-alpine@sha256:8e582e8cac837ad71372fbe1d80ab4d9894fa9dd9d3ad61163ebe87403b6b9db AS alpine-opentracing-lib
FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.0@sha256:760ed8cff8e0ae835b1873400673d95642e39420e42a02379e0619545008bc07 AS ubi-ppc64le
-FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17
-FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19
+FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17
+FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20
FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
FROM golang:1.22-alpine@sha256:8c9183f715b0b4eca05b8b3dbf59766aaedb41ec07477b132ee2891ac0110a07 AS golang-builder
@@ -98,7 +98,7 @@ USER 101
############################################# Base image for Alpine with NGINX Plus #############################################
-FROM alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 AS alpine-plus
+FROM alpine:3.20@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 AS alpine-plus
ARG NGINX_PLUS_VERSION
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
@@ -122,7 +122,7 @@ ARG NGINX_PLUS_VERSION
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
-RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
+RUN --mount=type=bind,from=alpine-fips-3.20,target=/tmp/fips/ \
mkdir -p /usr/ssl \
&& cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \
&& cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \
diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md
index adf04b06d9..02699aad0c 100644
--- a/docs/content/technical-specifications.md
+++ b/docs/content/technical-specifications.md
@@ -59,9 +59,9 @@ _All images include NGINX 1.27.0._
{{< bootstrap-table "table table-bordered table-responsive" >}}
|Name
| Base image
| Third-party modules
| DockerHub image | Architectures |
| ---| --- | --- | --- | --- |
-|Alpine-based image | ``nginx:1.27.0-alpine``,
based on on ``alpine:3.19`` | NGINX OpenTracing module
OpenTracing library
OpenTracing tracers for Jaeger
Zipkin and Datadog | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x |
+|Alpine-based image | ``nginx:1.27.0-alpine``,
based on on ``alpine:3.20`` | NGINX OpenTracing module
OpenTracing library
OpenTracing tracers for Jaeger
Zipkin and Datadog | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x |
|Debian-based image | ``nginx:1.27.0``,
based on on ``debian:12-slim`` | NGINX OpenTracing module
OpenTracing library
OpenTracing tracers for Jaeger
Zipkin and Datadog | ``nginx/nginx-ingress:{{< nic-version >}}`` | arm/v7
arm64
amd64
ppc64le
s390x |
-|Ubi-based image | ``nginxcontrib/nginx:1.27.0-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64
ppc64le
s390x |
+|Ubi-based image | ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64
ppc64le
s390x |
{{% /bootstrap-table %}}
---
@@ -79,8 +79,8 @@ NGINX Plus images are available through the F5 Container registry `private-regis
{{< bootstrap-table "table table-striped table-bordered table-responsive" >}}
|Name
| Base image
| Third-party modules
| F5 Container Registry Image | Architectures |
| ---| ---| --- | --- | --- |
-|Alpine-based image | ``alpine:3.19`` | NGINX Plus JavaScript and OpenTracing modules
OpenTracing tracers for Jaeger
Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64
amd64 |
-|Alpine-based image with FIPS inside | ``alpine:3.19`` | NGINX Plus JavaScript and OpenTracing modules
OpenTracing tracers for Jaeger
Zipkin and Datadog
FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 |
+|Alpine-based image | ``alpine:3.20`` | NGINX Plus JavaScript and OpenTracing modules
OpenTracing tracers for Jaeger
Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64
amd64 |
+|Alpine-based image with FIPS inside | ``alpine:3.20`` | NGINX Plus JavaScript and OpenTracing modules
OpenTracing tracers for Jaeger
Zipkin and Datadog
FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 |
|Alpine-based image with NGINX App Protect WAF & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF
NGINX Plus JavaScript and OpenTracing modules
OpenTracing tracers for Jaeger
Zipkin and Datadog
FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 |
|Alpine-based image with NGINX App Protect WAF v5 & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF v5
NGINX Plus JavaScript and OpenTracing modules
OpenTracing tracers for Jaeger
Zipkin and Datadog
FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 |
|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules
OpenTracing tracers for Jaeger
Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64
amd64 |
From e316fdd5622ed1e537f2019ae770f24f40210c27 Mon Sep 17 00:00:00 2001
From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>
Date: Wed, 24 Jul 2024 16:09:25 +0100
Subject: [PATCH 2/7] update keycloak version in OIDC example (#6049)
* update keycloak version in OIDC example
---------
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>
---
examples/custom-resources/oidc/keycloak.yaml | 13 +++++++------
examples/custom-resources/oidc/keycloak_setup.md | 15 +++++++++++----
examples/custom-resources/oidc/oidc.yaml | 6 +++---
3 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/examples/custom-resources/oidc/keycloak.yaml b/examples/custom-resources/oidc/keycloak.yaml
index 5130a8ea4a..0e879dfa11 100644
--- a/examples/custom-resources/oidc/keycloak.yaml
+++ b/examples/custom-resources/oidc/keycloak.yaml
@@ -31,14 +31,15 @@ spec:
spec:
containers:
- name: keycloak
- image: quay.io/keycloak/keycloak:15.0.2
+ image: quay.io/keycloak/keycloak:25.0.2
+ args: ["start-dev"]
env:
- - name: KEYCLOAK_USER
+ - name: KEYCLOAK_ADMIN
value: "admin"
- - name: KEYCLOAK_PASSWORD
+ - name: KEYCLOAK_ADMIN_PASSWORD
value: "admin"
- - name: PROXY_ADDRESS_FORWARDING
- value: "true"
+ - name: KC_PROXY
+ value: "edge"
ports:
- name: http
containerPort: 8080
@@ -46,5 +47,5 @@ spec:
containerPort: 8443
readinessProbe:
httpGet:
- path: /auth/realms/master
+ path: /realms/master
port: 8080
diff --git a/examples/custom-resources/oidc/keycloak_setup.md b/examples/custom-resources/oidc/keycloak_setup.md
index 3db8078146..9863e32c63 100644
--- a/examples/custom-resources/oidc/keycloak_setup.md
+++ b/examples/custom-resources/oidc/keycloak_setup.md
@@ -7,7 +7,8 @@ This guide will help you configure KeyCloak using Keycloak's API:
**Notes**:
-- if you changed the username and password for Keycloak in `keycloak.yaml`, modify the commands accordingly.
+- This guide has been tested with keycloak 19.0.2 and later. If you modify `keycloak.yaml` to use an older version, Keycloak may not start correctly or the commands in this guide may not work as expected. The Keycloak OpenID endpoints `oidc.yaml` might also be different in older versions of Keycloak.
+- if you changed the admin username and password for Keycloak in `keycloak.yaml`, modify the commands accordingly.
- The instructions use [`jq`](https://stedolan.github.io/jq/).
Steps:
@@ -21,21 +22,27 @@ Steps:
1. Retrieve the access token and store it into a shell variable:
```console
- TOKEN=`curl -sS -k --data "username=admin&password=admin&grant_type=password&client_id=admin-cli" https://${KEYCLOAK_ADDRESS}/auth/realms/master/protocol/openid-connect/token | jq -r .access_token`
+ TOKEN=`curl -sS -k --data "username=admin&password=admin&grant_type=password&client_id=admin-cli" "https://${KEYCLOAK_ADDRESS}/realms/master/protocol/openid-connect/token" | jq -r .access_token`
```
+ Ensure the request was successful and the token is stored in the shell variable by running:
+ ```console
+ echo $TOKEN
+ ```
+
***Note***: The access token lifespan is very short. If it expires between commands, retrieve it again with the
command above.
+
1. Create the user `nginx-user`:
```console
- curl -sS -k -X POST -d '{ "username": "nginx-user", "enabled": true, "credentials":[{"type": "password", "value": "test", "temporary": false}]}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/auth/admin/realms/master/users
+ curl -sS -k -X POST -d '{ "username": "nginx-user", "enabled": true, "credentials":[{"type": "password", "value": "test", "temporary": false}]}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/admin/realms/master/users
```
1. Create the client `nginx-plus` and retrieve the secret:
```console
- SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"] }' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/auth/realms/master/clients-registrations/default | jq -r .secret`
+ SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"] }' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/realms/master/clients-registrations/default | jq -r .secret`
```
If everything went well you should have the secret stored in $SECRET. To double check run:
diff --git a/examples/custom-resources/oidc/oidc.yaml b/examples/custom-resources/oidc/oidc.yaml
index 9711db74d4..d750275849 100644
--- a/examples/custom-resources/oidc/oidc.yaml
+++ b/examples/custom-resources/oidc/oidc.yaml
@@ -6,8 +6,8 @@ spec:
oidc:
clientID: nginx-plus
clientSecret: oidc-secret
- authEndpoint: https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth
- tokenEndpoint: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/token
- jwksURI: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/certs
+ authEndpoint: https://keycloak.example.com/realms/master/protocol/openid-connect/auth
+ tokenEndpoint: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token
+ jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs
scope: openid+profile+email
accessTokenEnable: true
From d250c086ef292e2d678e9df172a3a7c132485fb0 Mon Sep 17 00:00:00 2001
From: Dani De Leo
Date: Wed, 24 Jul 2024 11:51:23 -0400
Subject: [PATCH 3/7] Add GitHub workflow for docs deployments (#6027)
---
.github/actions/docs-build-push.yml | 33 +++++++++++++++++++++++++++++
docs/README.md | 2 +-
2 files changed, 34 insertions(+), 1 deletion(-)
create mode 100644 .github/actions/docs-build-push.yml
diff --git a/.github/actions/docs-build-push.yml b/.github/actions/docs-build-push.yml
new file mode 100644
index 0000000000..aaf5a80c52
--- /dev/null
+++ b/.github/actions/docs-build-push.yml
@@ -0,0 +1,33 @@
+name: Build and deploy docs
+on:
+ workflow_dispatch:
+ inputs:
+ environment:
+ description: 'Environment to deploy to'
+ required: true
+ default: 'preview'
+ type: choice
+ options:
+ - preview
+ - dev
+ - staging
+ - prod
+ pull_request:
+ branches:
+ - "*"
+ paths:
+ - "docs/**"
+
+jobs:
+ call-docs-build-push:
+ uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@main
+ with:
+ production_url_path: "/nginx-ingress-controller"
+ preview_url_path: "/previews/nginx-ingress-controller"
+ docs_source_path: "public/nginx-ingress-controller"
+ docs_build_path: "./docs"
+ doc_type: "hugo"
+ environment: ${{inputs.environment}}
+ secrets:
+ AZURE_CREDENTIALS: ${{secrets.AZURE_CREDENTIALS}}
+ AZURE_KEY_VAULT: ${{secrets.AZURE_KEY_VAULT}}
diff --git a/docs/README.md b/docs/README.md
index 939630fdc9..5f9d31ab02 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -2,7 +2,7 @@
This directory contains all of the user documentation for NGINX Ingress Controller, as well as the requirements for building and publishing the documentation.
-Documentation is written in Markdown, built using [Hugo](https://gohugo.io) with [nginx-hugo-theme](https://github.com/nginxinc/nginx-hugo-theme), then deployed with [Netlify](https://www.netlify.com/).
+Documentation is written in Markdown, built using [Hugo](https://gohugo.io) with [nginx-hugo-theme](https://github.com/nginxinc/nginx-hugo-theme). Previews and deployments are handled by the [docs-actions](https://github.com/nginxinc/docs-actions?tab=readme-ov-file#docs-actions) workflow.
## Setup
From 889550f9ee3088b7ace8f4d914e37ac95ad9c92a Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Thu, 25 Jul 2024 11:25:59 +0100
Subject: [PATCH 4/7] move docs workflow to workflow directory (#6063)
---
.github/scripts/exclude_ci_files.txt | 1 +
.github/{actions => workflows}/docs-build-push.yml | 3 +++
2 files changed, 4 insertions(+)
rename .github/{actions => workflows}/docs-build-push.yml (96%)
diff --git a/.github/scripts/exclude_ci_files.txt b/.github/scripts/exclude_ci_files.txt
index 6ffdd73936..457bb41969 100644
--- a/.github/scripts/exclude_ci_files.txt
+++ b/.github/scripts/exclude_ci_files.txt
@@ -23,6 +23,7 @@
.github/workflows/dependabot-hugo.yml
.github/workflows/dependency-review.yml
.github/workflows/dockerhub-description.yml
+.github/workflows/docs-build-push.yml
.github/workflows/fossa.yml
.github/workflows/image-promotion.yml
.github/workflows/issues.yaml
diff --git a/.github/actions/docs-build-push.yml b/.github/workflows/docs-build-push.yml
similarity index 96%
rename from .github/actions/docs-build-push.yml
rename to .github/workflows/docs-build-push.yml
index aaf5a80c52..9c0c602961 100644
--- a/.github/actions/docs-build-push.yml
+++ b/.github/workflows/docs-build-push.yml
@@ -18,6 +18,9 @@ on:
paths:
- "docs/**"
+permissions:
+ contents: read
+
jobs:
call-docs-build-push:
uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@main
From 1f5f0df01da93ee8c53ac1f2e3f75b7d188fcb25 Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Thu, 25 Jul 2024 12:01:22 +0100
Subject: [PATCH 5/7] rename azure values (#6064)
---
.github/workflows/docs-build-push.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/docs-build-push.yml b/.github/workflows/docs-build-push.yml
index 9c0c602961..ebbe182c70 100644
--- a/.github/workflows/docs-build-push.yml
+++ b/.github/workflows/docs-build-push.yml
@@ -23,14 +23,14 @@ permissions:
jobs:
call-docs-build-push:
- uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@main
+ uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@03a9a3808fcb77cd0c19d7fa5d59b25565dd1d6d # v1.0.2
with:
production_url_path: "/nginx-ingress-controller"
preview_url_path: "/previews/nginx-ingress-controller"
docs_source_path: "public/nginx-ingress-controller"
docs_build_path: "./docs"
doc_type: "hugo"
- environment: ${{inputs.environment}}
+ environment: ${{ inputs.environment }}
secrets:
- AZURE_CREDENTIALS: ${{secrets.AZURE_CREDENTIALS}}
- AZURE_KEY_VAULT: ${{secrets.AZURE_KEY_VAULT}}
+ AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS_DOCS }}
+ AZURE_KEY_VAULT: ${{ secrets.AZURE_KEY_VAULT_DOCS }}
From 6b22d3b555a1bda5786773c8e0d3404a2d27fc2b Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Thu, 25 Jul 2024 14:04:36 +0100
Subject: [PATCH 6/7] don't cache smoke test image build (#6065)
---
.github/workflows/setup-smoke.yml | 1 -
1 file changed, 1 deletion(-)
diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
index 700438865a..0c8e345806 100644
--- a/.github/workflows/setup-smoke.yml
+++ b/.github/workflows/setup-smoke.yml
@@ -129,7 +129,6 @@ jobs:
file: build/Dockerfile
context: "."
cache-from: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}
- cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max
target: goreleaser
tags: "${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }}"
load: true
From a993239da98ba787b50fa66e7a5db3cfd7464997 Mon Sep 17 00:00:00 2001
From: nginx-bot <68849795+nginx-bot@users.noreply.github.com>
Date: Thu, 25 Jul 2024 08:35:53 -0700
Subject: [PATCH 7/7] Docker image update d41d8cd9 (#6066)
---
build/Dockerfile | 20 ++++++++++----------
tests/Dockerfile | 2 +-
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/build/Dockerfile b/build/Dockerfile
index 3d42c34784..d918957c83 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -10,17 +10,17 @@ ARG WAF_VERSION=v4
############################################# Base images containing libs for Opentracing and FIPS #############################################
-FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0@sha256:1a77df60fd641db9e6a9323c8a484f642eb0e276df06104b592ecfd515bc1aef AS opentracing-lib
-FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0-alpine@sha256:8e582e8cac837ad71372fbe1d80ab4d9894fa9dd9d3ad61163ebe87403b6b9db AS alpine-opentracing-lib
+FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0@sha256:407f8bf197a4001b70658e683d024bff5e51dc4c41ad760c4e1a993c2eb7a8f8 AS opentracing-lib
+FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0-alpine@sha256:886055b532b95e3f3116c31f55218dd17d752a9a5aec695967e9f9a007bbf2fa AS alpine-opentracing-lib
FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.0@sha256:760ed8cff8e0ae835b1873400673d95642e39420e42a02379e0619545008bc07 AS ubi-ppc64le
FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17
FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20
-FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
-FROM golang:1.22-alpine@sha256:8c9183f715b0b4eca05b8b3dbf59766aaedb41ec07477b132ee2891ac0110a07 AS golang-builder
+FROM redhat/ubi9-minimal@sha256:104cf11d890aeb7dd5728b7d7732e175a0e4018f1bb00d2faebcc8f6bf29bd52 AS ubi-minimal
+FROM golang:1.22-alpine@sha256:0d3653dd6f35159ec6e3d10263a42372f6f194c3dea0b35235d72aabde86486e AS golang-builder
############################################# Base image for Alpine #############################################
-FROM nginx:1.27.0-alpine@sha256:a45ee5d042aaa9e81e013f97ae40c3dda26fbe98f22b6251acdf28e579560d55 AS alpine
+FROM nginx:1.27.0-alpine@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9 AS alpine
RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
apk add --no-cache libcap libstdc++ \
@@ -30,7 +30,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
############################################# Base image for Debian #############################################
-FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df AS debian
+FROM nginx:1.27.0@sha256:6af79ae5de407283dcea8b00d5c37ace95441fd58a8b1d2aa1ed93f5511bb18c AS debian
RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
apt-get update \
@@ -98,7 +98,7 @@ USER 101
############################################# Base image for Alpine with NGINX Plus #############################################
-FROM alpine:3.20@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 AS alpine-plus
+FROM alpine:3.20@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS alpine-plus
ARG NGINX_PLUS_VERSION
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
@@ -130,7 +130,7 @@ RUN --mount=type=bind,from=alpine-fips-3.20,target=/tmp/fips/ \
############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS #############################################
-FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-fips
+FROM alpine:3.17@sha256:ef813b2faa3dd1a37f9ef6ca98347b72cd0f55e4ab29fb90946f1b853bf032d9 AS alpine-plus-nap-fips
ARG NGINX_PLUS_VERSION
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
@@ -166,7 +166,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
############################################# Base image for Alpine with NGINX Plus, App Protect WAFv5 and FIPS #############################################
-FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-v5-fips
+FROM alpine:3.17@sha256:ef813b2faa3dd1a37f9ef6ca98347b72cd0f55e4ab29fb90946f1b853bf032d9 AS alpine-plus-nap-v5-fips
ARG NGINX_PLUS_VERSION
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
@@ -200,7 +200,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
############################################# Base image for Debian with NGINX Plus #############################################
-FROM debian:12-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 AS debian-plus
+FROM debian:12-slim@sha256:5f7d5664eae4a192c2d2d6cb67fc3f3c7891a8722cd2903cc35aa649a12b0c8d AS debian-plus
ARG NGINX_PLUS_VERSION
ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
diff --git a/tests/Dockerfile b/tests/Dockerfile
index a9a15d6d41..3b1517fb46 100644
--- a/tests/Dockerfile
+++ b/tests/Dockerfile
@@ -5,7 +5,7 @@ FROM kindest/node:v1.30.2@sha256:ecfe5841b9bee4fe9690f49c118c33629fa345e3350a0c6
# this is here so we can grab the latest version of skopeo and have dependabot keep it up to date
FROM quay.io/skopeo/stable:v1.15.2
-FROM python:3.12@sha256:b6f142bd70d2219c98c143094ad2a0b8cc882294a7fb2664377a7b68edfc5767
+FROM python:3.12@sha256:b40b4e5c86136e5400e9347459a9366315ff129e07175fdde8e221147ec5d541
RUN apt-get update \
&& apt-get install -y curl git \