From 6c395cf18f3978989c3964b5856d02549aac57f8 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 15 Jan 2024 13:32:10 +0000 Subject: [PATCH] Base image hash (#4871) (#4917) add docker image sha to dockerfile --- build/Dockerfile | 24 ++++++++++++------------ tests/Dockerfile | 4 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index a4db7ba74af..26dc19113b8 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,13 +6,13 @@ ARG DEBIAN_FRONTEND=noninteractive ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM opentracing/nginx-opentracing:nginx-1.25.3 as opentracing-lib -FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine as alpine-opentracing-lib -FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18 as alpine-fips +FROM opentracing/nginx-opentracing:nginx-1.25.3@sha256:426c2ff410f637eb243363f58c118254b5663e90224e5ab3c99d985eea50ec18 as opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine@sha256:08ccc2c8bb28f01cb17b7619f139830b3af7950826b819b267393aefa32f23ab as alpine-opentracing-lib +FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18@sha256:6f124002650fae697152290a14a7caa7f21884e8d78d8236c63fec2d018d721d as alpine-fips ############################################# Base image for Alpine ############################################# -FROM nginx:1.25.3-alpine AS alpine +FROM nginx:1.25.3-alpine@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59 AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -24,7 +24,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.25.3 AS debian +FROM nginx:1.25.3@sha256:2bdc49f2f8ae8d8dc50ed00f2ee56d00385c6f8bc8a8b320d0a294d9e3b49026 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -37,7 +37,7 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for UBI ############################################# -FROM nginxcontrib/nginx:1.25.3-ubi AS ubi +FROM nginxcontrib/nginx:1.25.3-ubi@sha256:4059affa739e77196cf465edf9fac1150afacc2a4ef3e12ae74cf594b9c1198a AS ubi ARG IC_VERSION LABEL name="NGINX Ingress Controller" \ @@ -83,7 +83,7 @@ RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https: ############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.18 as alpine-plus +FROM alpine:3.18@sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0 as alpine-plus ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ @@ -111,7 +111,7 @@ RUN --mount=type=bind,from=alpine-fips,target=/tmp/fips/ \ ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:12-slim AS debian-plus +FROM debian:12-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340 AS debian-plus SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -135,7 +135,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS ############################################# -FROM debian:11-slim as debian-plus-nap +FROM debian:11-slim@sha256:d3d0d14f49b49a4dd98a436711f5646dc39e1c99203ef223d1b6620061e2c0e5 as debian-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -177,7 +177,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus ############################################# -FROM redhat/ubi9-minimal AS ubi-plus +FROM redhat/ubi9-minimal@sha256:a340f4b9fb261a75c84666a3dccb88e193a116da3cebabaf9bcdc33609b61172 AS ubi-plus SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -196,7 +196,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS ############################################# -FROM redhat/ubi8 as ubi-plus-nap +FROM redhat/ubi8@sha256:1fdb97f2d2a44fdef3feaa69100f154631bae65130105ac685d0e34eb1d8c3d0 as ubi-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -289,7 +289,7 @@ LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERS ############################################# Build nginx-ingress in golang container ############################################# -FROM golang:1.21-alpine AS builder +FROM golang:1.21-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS builder ARG IC_VERSION ARG TARGETARCH diff --git a/tests/Dockerfile b/tests/Dockerfile index 05de5161119..7c70a8e356f 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,8 +1,8 @@ # syntax=docker/dockerfile:1.5 # this is here so we can grab the latest version of kind and have dependabot keep it up to date -FROM kindest/node:v1.28.0 +FROM kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 -FROM python:3.12 +FROM python:3.12@sha256:3733015cdd1bd7d9a0b9fe21a925b608de82131aa4f3d397e465a1fcb545d36f RUN apt-get update \ && apt-get install -y curl git \