Add UBI-based NGINX images (!1) · Merge requests · GitLab.org / Cloud Native / charts / GitLab Ingress NGINX

Mitchell Nielsen requested to merge sh-use-ubi-for-nginx into main Jul 01, 2022

Summary

UBI offers a number of advantages, though the image size is a bit larger:

Makes it possible for NGINX to run in a FIPS environment. The OpenSSL libraries are FIPS-validated.

Provides more security over Alpine. Red Hat addresses security issues faster Than Alpine.

Alpine's use of musl may cause slightly different behavior than glibc (e.g. with DNS).

Copied from https://github.com/kubernetes/ingress-nginx/pull/8524

Related to gitlab-org/charts/gitlab#3382 (closed) (begins CI implementation, but does not cover all requirements).

Closes gitlab-org/charts/gitlab#3384 (closed)

Testing

# build/test.values.yaml
nginx-ingress:
  controller:
    image:
      # https://gitlab.com/gitlab-org/cloud-native/charts/gitlab-ingress-nginx/-/jobs/2682586820#L3709
      repository: registry.gitlab.com/gitlab-org/cloud-native/charts/gitlab-ingress-nginx/controller
      tag: 991c5ba4
      digest: "sha256:8219ebd16a2f3560647d2c7689b11d3c6f6ceee037d5afc04e34cee9335a7051"

helm upgrade --install gitlab . -f build/test.values.yaml

Confirm that NGINX Ingress Controller starts and that you can access the application through the Ingress.

This was tested in Charts CI: https://gitlab.com/gitlab-org/charts/gitlab/-/pipelines/581750610

Edited Jul 06, 2022 by Mitchell Nielsen

Add UBI-based NGINX images

Summary

Testing

Merge request reports