Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NGINX: Bump to OpenResty v1.27.1.1. #12229

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

longwuyuan
Copy link
Contributor

@longwuyuan longwuyuan commented Oct 24, 2024

What this PR does / why we need it:

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

Which issue/s this PR fixes

fixes #12170

How Has This Been Tested?

  • Changed registry in /images/nginx/Makefile to docker.io/longwuyuan
  • Changed image in /images/nginx/Makefile to nginxbaseimage
  • Executed make in the /images/nginx directory, on local clone
  • It create a baseimage locally
  • Changed /NGINX_BASE to longwuyuan/nginxbaseimage:v1.0.0
  • Tested with "FOCUS=GRPC make kind-e2e-test". It passed
  • Tested with full-suite "make kind-e2e-test
  • Got a shell in the controller pod to confirm nginx version was v1.127.1
  • grype is showing this status
NAME                   INSTALLED   FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
grpc                   1.62.1-r0             apk        CVE-2024-7246        Unknown   
grpc-cpp               1.62.1-r0             apk        CVE-2024-7246        Unknown   
libaddress_sorting     1.62.1-r0             apk        CVE-2024-7246        Unknown   
libgpr                 1.62.1-r0             apk        CVE-2024-7246        Unknown   
libgrpc                1.62.1-r0             apk        CVE-2024-7246        Unknown   
libgrpc_unsecure       1.62.1-r0             apk        CVE-2024-7246        Unknown   
libupb_base_lib        1.62.1-r0             apk        CVE-2024-7246        Unknown   
libupb_json_lib        1.62.1-r0             apk        CVE-2024-7246        Unknown   
libupb_mem_lib         1.62.1-r0             apk        CVE-2024-7246        Unknown   
libupb_message_lib     1.62.1-r0             apk        CVE-2024-7246        Unknown   
libupb_textformat_lib  1.62.1-r0             apk        CVE-2024-7246        Unknown

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added unit and/or e2e tests to cover my changes.
  • All new and existing tests passed.

cc @rikatz @tao12345666333 @strongjz @Gacko

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 24, 2024
@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 24, 2024
Copy link

netlify bot commented Oct 24, 2024

Deploy Preview for kubernetes-ingress-nginx canceled.

Name Link
🔨 Latest commit bb15edb
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/6761fcc30e70990008a7cab4

@Gacko Gacko changed the title bumped openresty to v1.27.1.1 NGINX: Bump to OpenResty v1.27.1.1. Oct 24, 2024
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 24, 2024
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 24, 2024
@longwuyuan longwuyuan force-pushed the bump-openresty branch 2 times, most recently from b4e6d09 to e218096 Compare October 25, 2024 02:00
@longwuyuan
Copy link
Contributor Author

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 25, 2024
@strongjz
Copy link
Member

need to bump the version TAG as well

https://github.com/kubernetes/ingress-nginx/blob/main/images/nginx/TAG

@strongjz
Copy link
Member

@strongjz strongjz requested review from Gacko and strongjz and removed request for puerco October 25, 2024 13:47
@strongjz
Copy link
Member

/kind feature
/priority backlog

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Oct 25, 2024
@longwuyuan
Copy link
Contributor Author

need to bump the version TAG as well

https://github.com/kubernetes/ingress-nginx/blob/main/images/nginx/TAG

@strongjz Bumped /images/nginx/TAG from v1.0.0 to v1.0.1. Please check

@Gacko
Copy link
Member

Gacko commented Oct 25, 2024

Please do not bump the tag. Cloud Build triggers on any changes.

@longwuyuan
Copy link
Contributor Author

@Gacko reset the TAG back to v1.0.0. Please check

@strongjz
Copy link
Member

Please do not bump the tag. Cloud Build triggers on any changes.

Only on merges to main? Which we want to build the image and then cherry pick into a release.

@Gacko
Copy link
Member

Gacko commented Oct 25, 2024

Currently Cloud Build is configured to trigger on any changes to the images, not only the TAG, on main and release-* branches. So merging to main would trigger it.

The thing about the TAG: It's part of the release and I'd rather not let it be changed by contributors as the decision to which version to bump to is being made during the release process. Like, last time I checked the changes of each image and then bumped the TAG depending on if it's only patches/dependency updates or real changes with more impact (minor version bumped then).

Also we're currently using different versions of the NGINX image across the branches as we removed Global Rate Limiting on v1.12 only, but still have it in v1.11 and v1.10. Therefore the former uses TAG v1.0.0 and the latter stay on v0.1.0.

tl;dr: IMHO the TAG should be bumped during release process only.

cherry pick into a release.

I'd not cherry-pick these changes to any of the release-* branches. It's a minor change and should only be released with a v1.13.

I hopefully find some time to review this PR this weekend. Please, if possible, do not merge before.

@strongjz
Copy link
Member

We need the container built before the release.

  1. Merge to main with tag update
  2. cloud build runs
  3. another pr to main to update nginx image sha
  4. then cherry pick that to update it
  5. release a new controller version

@Gacko
Copy link
Member

Gacko commented Oct 29, 2024

I'm aware of that. But the container also builds if any file of the image changes: https://github.com/kubernetes/test-infra/blob/master/config/jobs/image-pushing/k8s-staging-ingress-nginx.yaml#L177.

So there is no need to bump the TAG, which's content should be decided by the ones forging the release, in this PR here.

Anyway, I hope I find some time to review it in the next days. Sorry for that!

@rikatz
Copy link
Contributor

rikatz commented Nov 14, 2024

@longwuyuan please bump the TAG file at least to start the test build, we can figure out cloud-build after it.

Once the build passes, worst case we can revert before merging.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 14, 2024
Copy link
Member

@Gacko Gacko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no need to bump the TAG. Cloud Build is configured to trigger on any change in the whole directory, not just the TAG. Bumping the TAG to a proper version we then use in the NGINX_BASE is part of the release process, not part of development.

Also please do not merge this before we sorted v1.12 as we might build the NGINX base image from main and then populate everything to the other branches. With this PR merged before the v1.12 release, the base image will include unwanted changes.

/hold

@rikatz
Copy link
Contributor

rikatz commented Nov 14, 2024

@Gacko the e2e tests runs with the new image when the TAG is bumped. I am not saying to merge, but I want to see the test passing

@strongjz strongjz added this to the release-1.13 milestone Dec 2, 2024
@littledan
Copy link

This patch is very important to land, to enable the security of ingress-nginx installations, given that nginx 1.25 is EOL. What will it take to land it?

@strongjz
Copy link
Member

This patch is very important to land, to enable the security of ingress-nginx installations, given that nginx 1.25 is EOL. What will it take to land it?

We have spent the last few weeks debugging the nginx build in cloud build that was broken. We just got it working today. So we can start adding in PRs like this one. So soon. And most likely in 1.13.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: longwuyuan
Once this PR has been reviewed and has the lgtm label, please assign strongjz for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Nginx version 1.25.0 which is EOL
6 participants