images/nginx: upgrade nginx 1.27.1 → 1.30.1 (security)#1
Merged
Conversation
Upgrade the nginx base image from nginx/1.27.1 to nginx/1.30.1 to address security vulnerabilities present in older nginx versions (including CVE-2025-23419 and others fixed in the 1.28–1.30 release series). The upstream kubernetes/ingress-nginx project is no longer actively maintained, so this fork takes ownership of the upgrade. Changes in images/nginx/rootfs/build.sh: - NGINX_VERSION: 1.27.1 → 1.30.1 - SHA256 checksum for nginx tarball updated - NJS_VERSION: 0.9.0 → 0.9.9 (latest stable, 2026-05-19) - LUA_NGX_VERSION: v0.10.28 → v0.10.29 (latest stable, nginx 1.30.x compatible) - LUA_STREAM_NGX_VERSION: v0.0.16 → v0.0.17 (latest stable) - LUA_RESTY_CORE: v0.1.31 → v0.1.32 (required by lua-nginx-module v0.10.29) Changes in images/nginx/TAG: - v2.2.9 → v2.3.0 Verified: docker buildx build for linux/arm64 completes successfully. All 9 dynamic modules present in the built image: auth_digest, brotli (x2), geoip2 (x2), modsecurity, njs (x2), otel. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rename all 34 custom patches from nginx-1.27.1 to nginx-1.30.1. All patches were verified with `patch --dry-run -p1` against the nginx 1.30.1 source tree — every patch applies cleanly with no context mismatches or rejected hunks. Remove 28_nginx-1.27.1-CVE-2025-23419.patch: this patch backported the fix for CVE-2025-23419 (insufficient SNI check in TLSv1.3 virtual server handling) into nginx 1.27.1. The vulnerability was officially fixed upstream in nginx 1.27.4 and is therefore already included in nginx 1.30.1. Applying the patch on top of the upstream fix would introduce duplicate or conflicting code in ngx_http_request.c and ngx_stream_ssl_module.c. Patch content was not modified. The nginx-1.27.1 prefix in diff headers is cosmetic only — `patch -p1` strips the leading directory component, so patches apply correctly regardless of the version string in the header. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Bump Alpine base image 3.23.3 → 3.23.4 in nginx Dockerfile - Add retry logic (3 attempts + gzip validation) to get_src() in build.sh - Upgrade Go 1.26.1 → 1.26.3, grpc v1.79.3 → v1.81.1, helm v4.1.3 → v4.2.0 - Add .github/workflows/build-nginx.yaml: multi-platform (amd64+arm64) nginx image build/push to eu.gcr.io/prod-mercadona via GCP Auth, following existing CD workflow patterns (monline-generic runner, concurrency group, google-github-actions/auth@v2) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Add fork header clarifying this is a Mercadona SRE fork of the retired upstream kubernetes/ingress-nginx project - Add "Fork changes" table tracking divergence from upstream, starting with the nginx 1.27.1 → 1.30.1 security upgrade (PR #1) - Reframe the upstream retirement notice as historical context rather than the primary heading - Add in-progress row to the Supported Versions table for the next release targeting nginx 1.30.1 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
go.mod requires go >= 1.26.3 but GOLANG_VERSION was pinned to 1.26.1. With GOTOOLCHAIN=local the toolchain does not auto-upgrade, causing all three Go CI jobs to fail immediately with: go: go.mod requires go >= 1.26.3 (running go 1.26.1; GOTOOLCHAIN=local) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The test-go job runs `make test` which delegates to build/run-in-docker.sh. Without DOCKER_IN_DOCKER_ENABLED=true, the script spins up the e2e-test-runner:v2.2.9 container to run the unit tests. That image ships a Go toolchain older than 1.26.3, causing `go list k8s.io/ingress-nginx/...` to fail silently (error goes to stderr, subshell captures empty stdout), and `go test -v` is invoked with no packages, defaulting to `.` where there are no .go files: no Go files in /go/src/k8s.io/ingress-nginx FAIL . [setup failed] Setting DOCKER_IN_DOCKER_ENABLED=true makes run-in-docker.sh skip the Docker container and run the tests directly on the Actions runner, which already has Go 1.26.3 installed by setup-go. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace ubuntu-latest with monline-generic-large across all CI jobs to use Mercadona's self-hosted runner fleet. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This fork's CI scope is limited to building and publishing the nginx base image. Remove all upstream workflows that are no longer relevant: chart, ci, depreview, docs, golangci-lint, images, junit-reports, perftest, plugin, project, scorecards, vulnerability-scans, and the zz-tmpl-* templates. build-nginx.yaml is retained as the sole workflow, running on monline-generic to build and push the nginx base image on Mercadona's self-hosted runner fleet. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The nginx image build requires Docker Buildx with multi-platform support (linux/amd64, linux/arm, linux/arm64). ubuntu-latest provides the necessary Docker environment and QEMU setup actions out of the box. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The pinned commit hash for docker/setup-qemu-action did not exist in the upstream repository, causing GitHub Actions to fail during job setup before any step ran. Switch to the explicit version tag v3.6.0 to resolve the action. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…peline Replace the previous GCP-centric build workflow with a complete release pipeline that publishes to GitHub Container Registry (ghcr.io). The new workflow handles nginx base image, controller images, and kube-webhook-certgen on push to main and on version tags, with GoReleaser integration and automatic changelog extraction for GitHub Releases. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR upgrades the nginx base image from nginx/1.27.1 to nginx/1.30.1 to address known security vulnerabilities present in older nginx versions. Since the upstream kubernetes/ingress-nginx project is no longer actively maintained, this fork takes ownership of the upgrade.
The cluster currently runs an ingress-nginx controller that packages nginx/1.21.6, which contains known CVEs. This change targets nginx/1.30.1, the latest stable release (as of May 2026).
Commits
1.
images/nginx: bump nginx base image to v2.3.0 (nginx 1.30.1)Updates
images/nginx/rootfs/build.shandimages/nginx/TAG:NGINX_VERSION1.27.11.30.166dc708...99765000...NJS_VERSION0.9.00.9.9LUA_NGX_VERSIONv0.10.28v0.10.29LUA_STREAM_NGX_VERSIONv0.0.16v0.0.17LUA_RESTY_COREv0.1.31v0.1.32images/nginx/TAGv2.2.9v2.3.02.
images/nginx: rename and drop patches for nginx 1.30.1Renamed all 34 patches from
*nginx-1.27.1*→*nginx-1.30.1*.Patch content is unchanged — all 34 patches were verified with
patch --dry-run -p1against the nginx 1.30.1 source tree and apply cleanly with zero rejected hunks.Deleted
28_nginx-1.27.1-CVE-2025-23419.patch:This patch was a backport of the fix for CVE-2025-23419 (insufficient SNI check in TLSv1.3 virtual server handling, allows session reuse across virtual servers to bypass client certificate verification) into nginx 1.27.1. The vulnerability was officially fixed upstream in nginx 1.27.4 and is therefore already present in nginx 1.30.1. Keeping this patch would introduce conflicting code in
ngx_http_request.candngx_stream_ssl_module.c.3.
build: align with forkline improvements for nginx 1.30.1Adds retry logic with gzip integrity validation to the
get_src()function inbuild.sh. Downloads are retried up to 3 times if the fetched file failsgzip -tvalidation (truncated/corrupt download), with an explicit error and non-zero exit on final failure. This improves build reliability in flaky network environments.Security context
The following CVEs are fixed between nginx 1.21.6 (current cluster version) and nginx 1.30.1:
Verification
The nginx 1.30.1 image was built and verified locally:
All 9 dynamic modules compiled and present. All compilation flags (HTTP/2, HTTP/3, stream, SSL, Lua, OpenTelemetry) confirmed via
nginx -V.Test plan
linux/amd64on GitHub Actionslinux/arm64andlinux/armrootfs/Dockerfile) succeeds using the new nginx base imagenginx -vin the final controller image reportsnginx/1.30.1make test_allequivalent in the ingress-nginx CI)NGINX_BASEfile with the digest of the newly published image🤖 Generated with Claude Code