From b39b20021e0d01ce7812b03aed3a3eb0d20f8158 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Thu, 21 Nov 2024 10:23:00 +1300 Subject: [PATCH 01/29] feat: Create container image of utility tools not avialable in production containers * The container can then be attached to a target container ephermerally for troubleshooting the target container * These tools include curl, netcat, iproute2, iperf, bash * The Makefile currently creates an image for linux/amd64 systems --- Makefile | 3 +++ nginx-debugger/Dockerfile | 10 ++++++++++ 2 files changed, 13 insertions(+) create mode 100644 nginx-debugger/Dockerfile diff --git a/Makefile b/Makefile index c478dd0..bbd4469 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,8 @@ build: go build -o cmd/kubectl-nginx_supportpkg +debugger: + docker buildx build --platform linux/amd64 -t nginx-debugger -f nginx-debugger/Dockerfile . + install: build sudo cp cmd/kubectl-nginx_supportpkg /usr/local/bin \ No newline at end of file diff --git a/nginx-debugger/Dockerfile b/nginx-debugger/Dockerfile new file mode 100644 index 0000000..d535a65 --- /dev/null +++ b/nginx-debugger/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine:latest + +RUN apk --update add bind-tools curl netcat-openbsd iproute2 iperf bash && rm -rf /var/cache/apk/* \ + && ln -s /usr/bin/iperf /usr/local/bin/iperf \ + && ls -altrh /usr/local/bin/iperf + +ADD https://github.com/coredns/coredns/releases/download/v1.11.4/coredns_1.11.4_linux_amd64.tgz /coredns.tgz +RUN tar -xzvf /coredns.tgz && rm -f /coredns.tgz + +CMD ["bash"] \ No newline at end of file From fed2bf3c078cde66ff2032f91dac2411ae29009d Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Thu, 27 Mar 2025 15:33:26 +1300 Subject: [PATCH 02/29] feat: introduce NGINX API stats script --- Makefile | 4 +++- nginx-debugger/Dockerfile | 10 +++++++--- nginx-debugger/api_stats.sh | 6 ++++++ 3 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 nginx-debugger/api_stats.sh diff --git a/Makefile b/Makefile index bbd4469..0e1086e 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,9 @@ build: go build -o cmd/kubectl-nginx_supportpkg debugger: - docker buildx build --platform linux/amd64 -t nginx-debugger -f nginx-debugger/Dockerfile . + docker buildx build --build-context project=nginx-debugger --platform linux/amd64 -t nginx-debugger -f nginx-debugger/Dockerfile . +# docker tag nginx-debugger:latest mrajagopal/f5-utils:latest +# docker push mrajagopal/f5-utils:latest install: build sudo cp cmd/kubectl-nginx_supportpkg /usr/local/bin \ No newline at end of file diff --git a/nginx-debugger/Dockerfile b/nginx-debugger/Dockerfile index d535a65..2bb28b1 100644 --- a/nginx-debugger/Dockerfile +++ b/nginx-debugger/Dockerfile @@ -1,10 +1,14 @@ FROM alpine:latest +COPY --chmod=744 --from=project api_stats.sh /root/api_stats.sh -RUN apk --update add bind-tools curl netcat-openbsd iproute2 iperf bash && rm -rf /var/cache/apk/* \ +RUN apk --update add bind-tools curl netcat-openbsd iproute2 iperf tcpdump tshark bash jq \ + && rm -rf /var/cache/apk/* \ && ln -s /usr/bin/iperf /usr/local/bin/iperf \ && ls -altrh /usr/local/bin/iperf -ADD https://github.com/coredns/coredns/releases/download/v1.11.4/coredns_1.11.4_linux_amd64.tgz /coredns.tgz -RUN tar -xzvf /coredns.tgz && rm -f /coredns.tgz +# Setting User and Home +USER root +WORKDIR /root +ENV HOSTNAME=nginx-utils CMD ["bash"] \ No newline at end of file diff --git a/nginx-debugger/api_stats.sh b/nginx-debugger/api_stats.sh new file mode 100644 index 0000000..9bf3fc5 --- /dev/null +++ b/nginx-debugger/api_stats.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +for i in /api/8/processes /api/8/connections /api/8/slabs /api/8/http/requests /api/8/http/server_zones /api/8/http/location_zones /api/8/http/caches /api/8/http/upstreams /api/8/http/keyvals; do + echo "**** $i ****" ; + curl -s "127.0.0.1:8080/$i" | jq .; + echo ""; +done \ No newline at end of file From bd77d7b952ded0c4a3dcfb8700c392aaf30c944c Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 30 May 2025 14:24:01 +1200 Subject: [PATCH 03/29] Added additional tools for troubleshooting --- nginx-debugger/Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nginx-debugger/Dockerfile b/nginx-debugger/Dockerfile index 2bb28b1..c040f70 100644 --- a/nginx-debugger/Dockerfile +++ b/nginx-debugger/Dockerfile @@ -1,7 +1,10 @@ FROM alpine:latest COPY --chmod=744 --from=project api_stats.sh /root/api_stats.sh -RUN apk --update add bind-tools curl netcat-openbsd iproute2 iperf tcpdump tshark bash jq \ +RUN set -ex \ + && apk --update add --no-cache \ + bind-tools curl netcat-openbsd iproute2 \ + iperf tcpdump tshark bash jq \ && rm -rf /var/cache/apk/* \ && ln -s /usr/bin/iperf /usr/local/bin/iperf \ && ls -altrh /usr/local/bin/iperf From d49821ff24c87645c77cf26a60f6666fd087664b Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Mon, 9 Jun 2025 12:39:51 +1200 Subject: [PATCH 04/29] Fix: api_stats.sh improvements * Get latest API version from the API itself * Provide commandline option for port and help --- nginx-debugger/api_stats.sh | 45 +++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/nginx-debugger/api_stats.sh b/nginx-debugger/api_stats.sh index 9bf3fc5..7683310 100644 --- a/nginx-debugger/api_stats.sh +++ b/nginx-debugger/api_stats.sh @@ -1,6 +1,43 @@ #!/usr/bin/env bash -for i in /api/8/processes /api/8/connections /api/8/slabs /api/8/http/requests /api/8/http/server_zones /api/8/http/location_zones /api/8/http/caches /api/8/http/upstreams /api/8/http/keyvals; do - echo "**** $i ****" ; - curl -s "127.0.0.1:8080/$i" | jq .; - echo ""; + +# Parse command line options +set -e +set -o pipefail +while getopts "p:v:h" opt; do + case $opt in + p) API_PORT="$OPTARG" + ;; + h) echo "Usage: $0 [-p port]" + exit 0 + ;; + \?) echo "Invalid option -$OPTARG" >&2 + echo "Usage: $0 [-p port]" + exit 1 + ;; + esac +done + +if [ $OPTIND -eq 1 ]; then + echo "No options were passed, exiting ..." + echo "Usage: $(basename "$0") [-p port]" + exit 1 +fi + +if [ -z "${API_PORT}" ]; then + echo 'Missing -p arg' >&2 + exit 1 +fi + +api_versions=($(curl http://127.0.0.1:$API_PORT/api/ | sed -e 's/\[//g' -e 's/\]//g' -e 's/\,/ /g')) +API_VERSION=${api_versions[-1]} +echo "API_VERSION: $API_VERSION" + +echo "**** /api/$API_VERSION/nginx ****" ; +curl -s "127.0.0.1:$API_PORT/api/$API_VERSION/nginx" | jq .; +echo ""; + +for i in /api/$API_VERSION/processes /api/$API_VERSION/connections /api/$API_VERSION/slabs /api/$API_VERSION/http/requests /api/$API_VERSION/http/server_zones /api/$API_VERSION/http/location_zones /api/$API_VERSION/http/caches /api/$API_VERSION/http/upstreams /api/$API_VERSION/http/keyvals; do + echo "**** $i ****" ; + curl -s "127.0.0.1:$API_PORT/$i" | jq .; + echo ""; done \ No newline at end of file From 742a3083f75b0c208ee9e3f34a1867b2b5071789 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 15:16:51 +1200 Subject: [PATCH 05/29] Feat: Add docker-build.yml to githb workflow * Rename image to nginx-utils --- .github/workflows/docker-build.yml | 31 ++++++++++++++++++++ Makefile | 7 ++--- {nginx-debugger => nginx-utils}/Dockerfile | 0 {nginx-debugger => nginx-utils}/api_stats.sh | 0 4 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/docker-build.yml rename {nginx-debugger => nginx-utils}/Dockerfile (100%) rename {nginx-debugger => nginx-utils}/api_stats.sh (100%) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..3ceae6c --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,31 @@ +name: Build and Push Docker Image for nginx-utils container +on: + push: + branches: + - mrajagopal-utils-pod + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Build and push Docker image + uses: docker/build-push-action@v2 + with: + context: . + file: nginx-utils/Dockerfile + push: true + tags: nginx-utils:latest + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + diff --git a/Makefile b/Makefile index 0e1086e..a9ec57f 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,9 @@ +.PHONY: nginx-utils build install build: go build -o cmd/kubectl-nginx_supportpkg -debugger: - docker buildx build --build-context project=nginx-debugger --platform linux/amd64 -t nginx-debugger -f nginx-debugger/Dockerfile . -# docker tag nginx-debugger:latest mrajagopal/f5-utils:latest -# docker push mrajagopal/f5-utils:latest +nginx-utils: + docker buildx build --build-context project=nginx-utils --platform linux/amd64 -t nginx-utils -f nginx-utils/Dockerfile . install: build sudo cp cmd/kubectl-nginx_supportpkg /usr/local/bin \ No newline at end of file diff --git a/nginx-debugger/Dockerfile b/nginx-utils/Dockerfile similarity index 100% rename from nginx-debugger/Dockerfile rename to nginx-utils/Dockerfile diff --git a/nginx-debugger/api_stats.sh b/nginx-utils/api_stats.sh similarity index 100% rename from nginx-debugger/api_stats.sh rename to nginx-utils/api_stats.sh From 90eac87f3e5cdc7881d310dfb0e8e98e360d2a78 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 15:24:01 +1200 Subject: [PATCH 06/29] Fix: copy the local file correctly using Dockerfile syntax --- nginx-utils/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-utils/Dockerfile b/nginx-utils/Dockerfile index c040f70..5de3df5 100644 --- a/nginx-utils/Dockerfile +++ b/nginx-utils/Dockerfile @@ -1,5 +1,5 @@ FROM alpine:latest -COPY --chmod=744 --from=project api_stats.sh /root/api_stats.sh +COPY --chmod=744 api_stats.sh /root/api_stats.sh RUN set -ex \ && apk --update add --no-cache \ From 053a4795c0cca863664d8950c3c4dc3cf8b4311a Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 15:43:25 +1200 Subject: [PATCH 07/29] fix: debug docker build workflow in github actions --- .github/workflows/docker-build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 3ceae6c..db916b5 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -11,6 +11,9 @@ jobs: - name: Checkout code uses: actions/checkout@v3 + # Step 2: Debug: Verify api_stats.sh and repository content + - name: List repository files + run: ls -R .; pwd - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 From 47cc68eba1a400b426158a099a09747f2b1daec4 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 15:52:31 +1200 Subject: [PATCH 08/29] Fix: copy file properly in Dockerfile --- nginx-utils/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-utils/Dockerfile b/nginx-utils/Dockerfile index 5de3df5..49df160 100644 --- a/nginx-utils/Dockerfile +++ b/nginx-utils/Dockerfile @@ -1,5 +1,5 @@ FROM alpine:latest -COPY --chmod=744 api_stats.sh /root/api_stats.sh +COPY --chmod=744 nginx-utils/api_stats.sh /root/api_stats.sh RUN set -ex \ && apk --update add --no-cache \ From 71e82a3b90cafaeda4c2f794caba5c80dc8f4bc4 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 16:05:45 +1200 Subject: [PATCH 09/29] Fix: fix docker image push failure * Changed order to have login to ghcr before image build --- .github/workflows/docker-build.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index db916b5..3ec2af1 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -17,6 +17,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image uses: docker/build-push-action@v2 with: @@ -25,10 +31,5 @@ jobs: push: true tags: nginx-utils:latest - - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} + From 60ac1acb83a0a03bf03be29c0849884a5530c67d Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 16:58:16 +1200 Subject: [PATCH 10/29] Fix: push container image to GHCR --- .github/workflows/docker-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 3ec2af1..13e84cb 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -29,7 +29,7 @@ jobs: context: . file: nginx-utils/Dockerfile push: true - tags: nginx-utils:latest + tags: ghcr.io/nginx/nginx-utils:latest From 36d1e3e4b05d55751cad2f6e0dde0645170ab8c3 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 22:32:27 +1200 Subject: [PATCH 11/29] Feat: Add trivy vulnerability scan and upload report via github workflow --- .github/workflows/docker-build.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 13e84cb..9abd67b 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -31,5 +31,16 @@ jobs: push: true tags: ghcr.io/nginx/nginx-utils:latest + # Step 5: Install Trivy for Vulnerability Scanning + - name: Install Trivy + uses: aquasecurity/trivy-action@v0.11.0 + with: + image-ref: ghcr.io/${{ github.repository_owner }}/nginx-utils:latest + format: json + output: vuln-report.json - + - name: Upload Vulnerability Report + uses: actions/upload-artifact@v3 + with: + name: vuln-report + path: vuln-report.json From c4985c3b528fd3ca173fe3c8dc4b481e84e61c2a Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 22:37:01 +1200 Subject: [PATCH 12/29] fix: vulnerability scan --- .github/workflows/docker-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 9abd67b..4e316fb 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -33,14 +33,14 @@ jobs: # Step 5: Install Trivy for Vulnerability Scanning - name: Install Trivy - uses: aquasecurity/trivy-action@v0.11.0 + uses: aquasecurity/trivy-action with: image-ref: ghcr.io/${{ github.repository_owner }}/nginx-utils:latest format: json output: vuln-report.json - name: Upload Vulnerability Report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact with: name: vuln-report path: vuln-report.json From 8c180494c81d4b3432ce363b7d95b99a78da5a60 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 22:40:48 +1200 Subject: [PATCH 13/29] fix: vulnerability scan and report upload --- .github/workflows/docker-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 4e316fb..0662965 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -33,14 +33,14 @@ jobs: # Step 5: Install Trivy for Vulnerability Scanning - name: Install Trivy - uses: aquasecurity/trivy-action + uses: aquasecurity/trivy-action@0.28.0 with: image-ref: ghcr.io/${{ github.repository_owner }}/nginx-utils:latest format: json output: vuln-report.json - name: Upload Vulnerability Report - uses: actions/upload-artifact + uses: actions/upload-artifact@4 with: name: vuln-report path: vuln-report.json From 9184914dd2cdc45beeaf169c0bcb4e04c38544d9 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 22:42:15 +1200 Subject: [PATCH 14/29] fix: vulnerability report upload --- .github/workflows/docker-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 0662965..f069501 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -40,7 +40,7 @@ jobs: output: vuln-report.json - name: Upload Vulnerability Report - uses: actions/upload-artifact@4 + uses: actions/upload-artifact@v3 with: name: vuln-report path: vuln-report.json From bae4b7218abbb4feafd1d5e2c2bfb9aa625d3d93 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Fri, 13 Jun 2025 22:45:58 +1200 Subject: [PATCH 15/29] fix: upload artifact vuln report --- .github/workflows/docker-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index f069501..6b4c221 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -40,7 +40,7 @@ jobs: output: vuln-report.json - name: Upload Vulnerability Report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: vuln-report path: vuln-report.json From ea96377568bb977ab2b09c3a91d0ddc92e4d0996 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Mon, 16 Jun 2025 11:22:13 +1200 Subject: [PATCH 16/29] Chore: Added opencontainerer annotations to the nginx-utils image * https://specs.opencontainers.org/image-spec/annotations/ --- nginx-utils/Dockerfile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nginx-utils/Dockerfile b/nginx-utils/Dockerfile index 49df160..0fa2f97 100644 --- a/nginx-utils/Dockerfile +++ b/nginx-utils/Dockerfile @@ -1,4 +1,13 @@ FROM alpine:latest + +LABEL org.opencontainers.image.description="Container image including various troubleshooting tools such as curl, tcpdump, iperf, netcat to name a few not available in the target container" +LABEL org.opencontainers.image.vendor="NGINX" +LABEL org.opencontainers.image.authors="NGINX " +LABEL org.opencontainers.image.url="https://github.com/nginx/nginx-supportpkg-for-k8s/pkgs/container/nginx-utils" +LABEL org.opencontainers.image.documentation="https://github.com/nginx/nginx-supportpkg-for-k8s/pkgs/container/nginx-utils" +LABEL org.opencontainers.image.source="https://github.com/nginx/nginx-supportpkg-for-k8s/tree/main/nginx-utils" +LABEL org.opencontainers.image.licenses="Apache-2.0" + COPY --chmod=744 nginx-utils/api_stats.sh /root/api_stats.sh RUN set -ex \ From 141aebba1b7db4baa826da7d445e518749bc9186 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Mon, 16 Jun 2025 11:44:36 +1200 Subject: [PATCH 17/29] Fix: Address workflow persmissions * Added permissions block to the docker-build workflow --- .github/workflows/docker-build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 6b4c221..8a4fb00 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -1,4 +1,8 @@ name: Build and Push Docker Image for nginx-utils container +permissions: + contents: read + packages: write + actions: write on: push: branches: From 3c176084eb002b504cdb86b148feb41f1c52b343 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Mon, 16 Jun 2025 13:46:56 +1200 Subject: [PATCH 18/29] Fix: Use recent releases for workflow jobs pipeline * actions/checkout@v4.2.2 * actions/upload-artifact@4.6.2 * docker/checkout@4.2.2 * docker/login-action@v3.4.0 * docker/build-push-action@6.18.0 * aquasecurity/trivy-action@0.31.0 --- .github/workflows/docker-build.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 8a4fb00..006315c 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -13,22 +13,22 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4.2.2 # Step 2: Debug: Verify api_stats.sh and repository content - name: List repository files run: ls -R .; pwd - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3.10.0 - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v3.4.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6.18.0 with: context: . file: nginx-utils/Dockerfile @@ -36,15 +36,16 @@ jobs: tags: ghcr.io/nginx/nginx-utils:latest # Step 5: Install Trivy for Vulnerability Scanning - - name: Install Trivy - uses: aquasecurity/trivy-action@0.28.0 + - name: Install Trivy and scan image for vulnerabilities + uses: aquasecurity/trivy-action@0.31.0 + with: image-ref: ghcr.io/${{ github.repository_owner }}/nginx-utils:latest format: json output: vuln-report.json - name: Upload Vulnerability Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v4.6.2 with: name: vuln-report path: vuln-report.json From e20a96009ac1725e9a1bebbe8f3a2611c2c2fee2 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Mon, 16 Jun 2025 15:05:59 +1200 Subject: [PATCH 19/29] Feat: Added memory stats script to the container image --- nginx-utils/Dockerfile | 1 + nginx-utils/memory_stats.sh | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 nginx-utils/memory_stats.sh diff --git a/nginx-utils/Dockerfile b/nginx-utils/Dockerfile index 0fa2f97..003a3e9 100644 --- a/nginx-utils/Dockerfile +++ b/nginx-utils/Dockerfile @@ -9,6 +9,7 @@ LABEL org.opencontainers.image.source="https://github.com/nginx/nginx-supportpkg LABEL org.opencontainers.image.licenses="Apache-2.0" COPY --chmod=744 nginx-utils/api_stats.sh /root/api_stats.sh +COPY --chmod=744 nginx-utils/memory_stats.sh /root/memory_stats.sh RUN set -ex \ && apk --update add --no-cache \ diff --git a/nginx-utils/memory_stats.sh b/nginx-utils/memory_stats.sh new file mode 100644 index 0000000..c7f8278 --- /dev/null +++ b/nginx-utils/memory_stats.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +echo "" +echo " **** Output of memory.stat ****" +cat /sys/fs/cgroup/memory.stat + +echo "" +echo " **** Output of pmap for nginx and nginx-ingress processes ****" +for p in $(pidof nginx nginx-ingress); do pmap ${p} -x; done + +echo "" +echo " **** Output of /proc/pid/status for nginx and nginx-ingress processes ****" +for p in $(pidof nginx nginx-ingress); do cat /proc/${p}/status; done \ No newline at end of file From 75fc05c0ea09c814c0c9de9ff0f4d7fa3614c1e7 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Mon, 16 Jun 2025 15:30:19 +1200 Subject: [PATCH 20/29] Fix: Output JSON raw for unformatted redirection to file --- nginx-utils/api_stats.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx-utils/api_stats.sh b/nginx-utils/api_stats.sh index 7683310..10b1ec0 100644 --- a/nginx-utils/api_stats.sh +++ b/nginx-utils/api_stats.sh @@ -28,16 +28,16 @@ if [ -z "${API_PORT}" ]; then exit 1 fi -api_versions=($(curl http://127.0.0.1:$API_PORT/api/ | sed -e 's/\[//g' -e 's/\]//g' -e 's/\,/ /g')) +api_versions=($(curl -s http://127.0.0.1:$API_PORT/api/ | sed -e 's/\[//g' -e 's/\]//g' -e 's/\,/ /g')) API_VERSION=${api_versions[-1]} echo "API_VERSION: $API_VERSION" echo "**** /api/$API_VERSION/nginx ****" ; -curl -s "127.0.0.1:$API_PORT/api/$API_VERSION/nginx" | jq .; +curl -s "127.0.0.1:$API_PORT/api/$API_VERSION/nginx" | jq -r '.'; echo ""; for i in /api/$API_VERSION/processes /api/$API_VERSION/connections /api/$API_VERSION/slabs /api/$API_VERSION/http/requests /api/$API_VERSION/http/server_zones /api/$API_VERSION/http/location_zones /api/$API_VERSION/http/caches /api/$API_VERSION/http/upstreams /api/$API_VERSION/http/keyvals; do echo "**** $i ****" ; - curl -s "127.0.0.1:$API_PORT/$i" | jq .; + curl -s "127.0.0.1:$API_PORT/$i" | jq -r '.'; echo ""; done \ No newline at end of file From c7aa018feff9deeec1054c56a79fb3db123ad896 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Mon, 16 Jun 2025 17:10:32 +1200 Subject: [PATCH 21/29] Chore: Change docker-build workflow * trigger on any branch * when contents of nginx-utils dir changes --- .github/workflows/docker-build.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 006315c..f4d21fc 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -4,10 +4,13 @@ permissions: packages: write actions: write on: + workflow_dispatch: push: branches: - - mrajagopal-utils-pod - + - '*' + paths: + - 'nginx-utils/**' + - '.github/workflows/docker-build.yml' jobs: build: runs-on: ubuntu-latest From bae23efcfb48b474dbdb435946848be38dda87d1 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Tue, 17 Jun 2025 12:07:14 +1200 Subject: [PATCH 22/29] Fix: Build container image on release trigger * tweak memory_stats.sh to fail on first error --- .github/workflows/docker-build.yml | 12 +++++------- nginx-utils/memory_stats.sh | 2 +- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index f4d21fc..bc5ec4b 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -4,13 +4,11 @@ permissions: packages: write actions: write on: - workflow_dispatch: - push: - branches: - - '*' - paths: - - 'nginx-utils/**' - - '.github/workflows/docker-build.yml' + release: + types: [created] + +env: + RELEASE_VERSION: ${{ github.event.release.tag_name }} jobs: build: runs-on: ubuntu-latest diff --git a/nginx-utils/memory_stats.sh b/nginx-utils/memory_stats.sh index c7f8278..10818c1 100644 --- a/nginx-utils/memory_stats.sh +++ b/nginx-utils/memory_stats.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash - +set -e echo "" echo " **** Output of memory.stat ****" cat /sys/fs/cgroup/memory.stat From 47baa6ddcc22ae06e037cdfb0478c5b7f64d34e9 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Tue, 17 Jun 2025 16:34:30 +1200 Subject: [PATCH 23/29] Fix: Added muti-platform directive to docker-build workflow * Also add build tags based on release tag --- .github/workflows/docker-build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index bc5ec4b..14a8442 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -35,6 +35,7 @@ jobs: file: nginx-utils/Dockerfile push: true tags: ghcr.io/nginx/nginx-utils:latest + platforms: linux/amd64,linux/arm64 # Step 5: Install Trivy for Vulnerability Scanning - name: Install Trivy and scan image for vulnerabilities From ebc3ab827b851dab9187f5a4040bd9377c52210d Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Tue, 17 Jun 2025 17:22:18 +1200 Subject: [PATCH 24/29] Fix: Add build tags based on release tag to docker-build workflow --- .github/workflows/docker-build.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 14a8442..3916fef 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -34,8 +34,11 @@ jobs: context: . file: nginx-utils/Dockerfile push: true - tags: ghcr.io/nginx/nginx-utils:latest platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/nginx/nginx-utils:${{ env.RELEASE_VERSION }} + ghcr.io/nginx/nginx-utils:latest + # Step 5: Install Trivy for Vulnerability Scanning - name: Install Trivy and scan image for vulnerabilities From 7d01e3be15ae08d6211da2b1ff78c2172f6178b7 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Wed, 18 Jun 2025 11:45:07 +1200 Subject: [PATCH 25/29] Fix: Build the container based -docker release name This is expected to allow release the debug container image independent of the supportpkg krew plugin --- .github/workflows/docker-build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 3916fef..f58f2d1 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -10,9 +10,13 @@ on: env: RELEASE_VERSION: ${{ github.event.release.tag_name }} jobs: - build: + run-on-release: + if: endsWith(github.event.release.tag_name, '-docker') runs-on: ubuntu-latest steps: + - name: Starting Release Build + run: echo "Starting Release Build for ${{ github.event.release.tag_name }}" + - name: Checkout code uses: actions/checkout@v4.2.2 From cedd60f659bb2d4102df9567c18fc5f644bc9c55 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Wed, 18 Jun 2025 12:10:06 +1200 Subject: [PATCH 26/29] Fix: Build the krew based on -krew in the release name This is expected to allow release of the supportpkg krew plugin independent of the debug container image --- .github/workflows/release-builder.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml index 9463716..d5859f9 100644 --- a/.github/workflows/release-builder.yml +++ b/.github/workflows/release-builder.yml @@ -12,6 +12,7 @@ env: jobs: build: + if: endsWith(github.event.release.tag_name, '-krew') permissions: contents: write From 6c731870013bb819ee445be697627f49dbcaed2d Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Wed, 18 Jun 2025 14:20:17 +1200 Subject: [PATCH 27/29] Fix: Add docker image info to release notes via dock-build workflow --- .github/workflows/docker-build.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index f58f2d1..9b20e96 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -20,7 +20,6 @@ jobs: - name: Checkout code uses: actions/checkout@v4.2.2 - # Step 2: Debug: Verify api_stats.sh and repository content - name: List repository files run: ls -R .; pwd - name: Set up Docker Buildx @@ -43,8 +42,6 @@ jobs: ghcr.io/nginx/nginx-utils:${{ env.RELEASE_VERSION }} ghcr.io/nginx/nginx-utils:latest - - # Step 5: Install Trivy for Vulnerability Scanning - name: Install Trivy and scan image for vulnerabilities uses: aquasecurity/trivy-action@0.31.0 @@ -58,3 +55,21 @@ jobs: with: name: vuln-report path: vuln-report.json + + - name: Update Release Notes with Docker Image Info + uses: softprops/action-gh-release@v2.3.2 + with: + tag_name: ${{ github.event.release.tag_name }} + body: | + ## Docker Image + The Docker image for this release can be pulled using: + + ``` + docker pull ghcr.io/${{ github.repository_owner }}/nginx-utils:${{ github.event.release.tag_name }} + ``` + + Or use the `latest` tag: + + ``` + docker pull ghcr.io/${{ github.repository_owner }}/nginx-utils:latest + ``` From 727620e48b5093a6d97ccc3b39f52ffe91401b6a Mon Sep 17 00:00:00 2001 From: Daniel Areste Hernandez Date: Wed, 18 Jun 2025 11:10:34 +0200 Subject: [PATCH 28/29] feat: strip prefix in krew release version tags --- .github/workflows/release-builder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml index d5859f9..7a1786e 100644 --- a/.github/workflows/release-builder.yml +++ b/.github/workflows/release-builder.yml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set Release Version - run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV + run: echo "RELEASE_VERSION=${RELEASE_VERSION%-krew}" >> $GITHUB_ENV - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 From b9aa761d26c625a60013c2fee85433490ebfeb05 Mon Sep 17 00:00:00 2001 From: Madhu RAJAGOPAL Date: Thu, 19 Jun 2025 10:31:10 +1200 Subject: [PATCH 29/29] Fix: Strip suffix in docker image release tag --- .github/workflows/docker-build.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 9b20e96..8b2c1e7 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -1,4 +1,4 @@ -name: Build and Push Docker Image for nginx-utils container +name: Build and Push Docker Image For nginx-utils Container permissions: contents: read packages: write @@ -14,8 +14,11 @@ jobs: if: endsWith(github.event.release.tag_name, '-docker') runs-on: ubuntu-latest steps: + - name: Set Release Version + run: echo "RELEASE_VERSION=${RELEASE_VERSION%-docker}" >> $GITHUB_ENV + - name: Starting Release Build - run: echo "Starting Release Build for ${{ github.event.release.tag_name }}" + run: echo "Starting Release Build for ${RELEASE_VERSION}" - name: Checkout code uses: actions/checkout@v4.2.2