refactor: simplify docker build process

This change does the following:
* Migrates to using the official NGINX Plus Docker
images as base images
* Removes the distinction between BuildKit and non-BuildKit
  builds for Plus images (OSS never had this)
* Adds support for license validation for Plus images
* Introduces a multi-stage build for Plus images

Signed-off-by: Elijah Zupancic <e.zupancic@f5.com>

Author: dekobon

Dockerfile.buildkit.plus

@@ -1,8 +1,4 @@
-FROM nginx:1.29.0@sha256:f5c017fb33c6db484545793ffb67db51cdd7daebee472104612f73a85063f889
-
-# NJS env vars
-ENV NJS_VERSION=0.9.0
-ENV NJS_RELEASE=1~bookworm
+FROM nginx:1.29.1@sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e
 
 # Proxy cache env vars
 ENV PROXY_CACHE_MAX_SIZE=10g
@@ -27,20 +23,20 @@ ENV PREFIX_LEADING_DIRECTORY_PATH=""
 # 3. Adding a directory for proxied objects to be stored.
 # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
 
+# Note: the PKG_RELEASE environment variable is inherited
+
 RUN set -x \
-    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
-    apt-get update \
+    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list \
+    && apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y \
-      libedit2 \
-      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
-    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
+      libedit2 nginx-module-njs nginx-module-xslt \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/*
 
-COPY oss/etc /etc
+COPY oss/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
 
 RUN set -x \
     && mkdir -p /var/cache/nginx/s3_proxy \
     && chown nginx:nginx /var/cache/nginx/s3_proxy \
-    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
+    && find /docker-entrypoint.d -type f \( -name '*.sh' -or -name '*.envsh' \) -exec chmod -v +x {} \;

Dockerfile.oss

@@ -1,13 +1,59 @@
-FROM debian:bookworm-slim@sha256:b1211f6d19afd012477bd34fdcabb6b663d680e0f4b0537da6e6b0fd057a3ec3
+FROM nginx:1.29.1@sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e AS oss
 
-# Create RELEASE argument
-ARG RELEASE=bookworm
+FROM private-registry.nginx.com/nginx-plus/base:r35-debian-bookworm@sha256:9a82ad3f96d58be861257efd621f215d599e226ebedd24d9f3211bdd743c3c27 AS build
 
-# NJS env vars
-ENV NGINX_VERSION=34
-ENV NGINX_PKG_RELEASE=1~${RELEASE}
-ENV NJS_VERSION=0.9.0
-ENV NJS_PKG_RELEASE=1~${RELEASE}
+# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
+# This requires us to have the NGINX Plus license certificate and key from the F5 customer portal,
+# so we do not want to embed these certificates and keys in the base image. As such, we use
+# in intermediate build image, then throw it away, leaving the modules required.
+
+COPY --from=oss /etc/apt/keyrings/nginx-archive-keyring.gpg /etc/apt/keyrings/
+
+# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context
+RUN <<EOF
+    set -eux
+    NGINX_GPGKEY_PATH="/etc/apt/keyrings/nginx-archive-keyring.gpg"
+    VERSION_CODENAME="$(grep VERSION_CODENAME /etc/os-release | cut -d= -f2)"
+    echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx
+    echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx
+    echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx
+    echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx
+    echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian ${VERSION_CODENAME} nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list
+EOF
+
+# Setup NGINX Plus apt repository
+RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \
+    --mount=type=secret,id=nginx-key,dst=nginx-repo.key \
+    set -eux; \
+    mkdir --parents /etc/ssl/nginx; \
+    cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt; \
+    cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key
+
+# Only update the NGINX Plus repository
+RUN apt-get update
+
+# Download the latest release of the XSLT module and its dependencies
+RUN <<EOF
+  set -eux
+  mkdir --parents /var/cache/apt/downloads
+  cd /var/cache/apt/downloads/
+  apt-get download nginx-plus-module-xslt
+EOF
+
+# Install only envsubst from the gettext-base package
+RUN <<EOF
+    set -eux
+    cd /tmp
+    apt-get download gettext-base
+    dpkg-deb --extract "$(find . -type f -name 'gettext-base*.deb')" .
+    cp usr/bin/envsubst /usr/local/bin/
+    rm -rf /tmp/*
+EOF
+
+FROM private-registry.nginx.com/nginx-plus/base:r35-debian-bookworm@sha256:9a82ad3f96d58be861257efd621f215d599e226ebedd24d9f3211bdd743c3c27
+
+# OSS equivalent version
+ENV NGINX_VERSION=1.29.0
 
 # Proxy cache env vars
 ENV PROXY_CACHE_MAX_SIZE=10g
@@ -26,76 +72,29 @@ ENV DIRECTORY_LISTING_PATH_PREFIX=""
 ENV STRIP_LEADING_DIRECTORY_PATH=""
 ENV PREFIX_LEADING_DIRECTORY_PATH=""
 
-# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
-# 1. Explicitly installing the version of njs coded in the environment variable above.
-# 2. Adding configuration files needed for proxying private S3 buckets.
-# 3. Adding a directory for proxied objects to be stored.
-# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
-
-# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context
-COPY plus/etc/ssl /etc/ssl
-
-RUN set -x \
-# Create nginx user/group first, to be consistent throughout Docker variants
-    && groupadd --system --gid 101 nginx \
-    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \
-    && \
-    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
-    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
-    export GNUPGHOME="$(mktemp -d)"; \
-    found=''; \
-    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
-    for server in \
-        hkp://keyserver.ubuntu.com:80 \
-        pgp.mit.edu \
-    ; do \
-        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
-        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
-    done; \
-    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    done; \
-    gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
-    rm -rf "$GNUPGHOME"; \
-    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
-# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5)
-    && nginxPackages=" \
-        nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
-        nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \
-        nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
-    " \
-    && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \
-    && apt-get remove --purge -y lsb-release \
-    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
-    && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \
-# Forward request logs to Docker log collector
-    && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
-
-EXPOSE 80
-
-STOPSIGNAL SIGTERM
-
-CMD ["nginx", "-g", "daemon off;"]
-
 # Copy files from the OSS NGINX Docker container such that the container
 # startup is the same.
+COPY --from=build /var/cache/apt/downloads/* /var/cache/apt/downloads/
+COPY --from=build /usr/local/bin/envsubst /usr/local/bin/
+
 COPY plus/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
-COPY plus/docker-entrypoint.d /docker-entrypoint.d/
 
-RUN set -x \
-    && mkdir -p /var/cache/nginx/s3_proxy \
-    && chown nginx:nginx /var/cache/nginx/s3_proxy \
-    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
+# 1. Install the XLST filter module.
+# 2. Adding configuration files needed for proxying private S3 buckets.
+# 3. Adding a directory for proxied objects to be stored.
+# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
+RUN <<EOF
+    set -eux
+    apt-get update -qq
+    apt-get install --no-install-recommends --no-install-suggests -y "$(find /var/cache/apt/downloads -type f -name 'nginx-plus-module-xslt*.deb')"
+    apt-get remove --purge --auto-remove -y
+    rm -rf /var/cache/apt/downloads /usr/share/doc/ /usr/share/lintian rm -rf /var/lib/apt/lists/*
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+    cat /etc/nginx/nginx-license.conf >> /etc/nginx/nginx.conf; \
+    rm /etc/nginx/nginx-license.conf; \
+    mkdir -p /var/cache/nginx/s3_proxy; \
+    chown nginx:nginx /var/cache/nginx/s3_proxy; \
+    find /docker-entrypoint.d -type f \( -name '*.sh' -or -name '*.envsh' \) -exec chmod -v +x {} \;
+EOF

Dockerfile.plus

@@ -130,21 +130,3 @@ fi
 if [ $failed -gt 0 ]; then
   exit 1
 fi
-
-echo "S3 Backend Environment"
-echo "Service: ${S3_SERVICE:-s3}"
-echo "Access Key ID: ${AWS_ACCESS_KEY_ID}"
-echo "Origin: ${S3_SERVER_PROTO}://${S3_BUCKET_NAME}.${S3_SERVER}:${S3_SERVER_PORT}"
-echo "Region: ${S3_REGION}"
-echo "Addressing Style: ${S3_STYLE}"
-echo "AWS Signatures Version: v${AWS_SIGS_VERSION}"
-echo "DNS Resolvers: ${DNS_RESOLVERS}"
-echo "Directory Listing Enabled: ${ALLOW_DIRECTORY_LIST}"
-echo "Directory Listing Path Prefix: ${DIRECTORY_LISTING_PATH_PREFIX}"
-echo "Provide Index Pages Enabled: ${PROVIDE_INDEX_PAGE}"
-echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY}"
-echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}"
-echo "Allow the following headers from responses (these take precedence over the above): ${HEADER_PREFIXES_ALLOWED}"
-echo "CORS Enabled: ${CORS_ENABLED}"
-echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}"
-echo "Proxy cache using stale setting: ${PROXY_CACHE_USE_STALE}"