Skip to content

Instantly share code, notes, and snippets.

@bgautrea

bgautrea/DockerfileForCentosPlus

Last active October 28, 2019 22:28
Show Gist options
  • Save bgautrea/6c41f0e81b583a003d2d84e22905fdaa to your computer and use it in GitHub Desktop.
Save bgautrea/6c41f0e81b583a003d2d84e22905fdaa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
DockerfileForCentosPlus
FROM centos:centos7
LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
ENV NGINX_PLUS_VERSION 19-1~stretch
ARG IC_VERSION
# Download certificate and key from the customer portal (https://cs.nginx.com)
# and copy to the build context
COPY nginx-repo.crt /etc/ssl/nginx/
COPY nginx-repo.key /etc/ssl/nginx/
# Make sure the certificate and key have correct permissions
RUN chmod 644 /etc/ssl/nginx/*
# Install NGINX Plus
RUN set -x \
&& yum -y install ca-certificates libcap curl wget \
&& wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo \
&& yum -y install nginx-plus \
&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
&& rm -rf /etc/ssl/nginx
# forward nginx access and error logs to stdout and stderr of the ingress
# controller process
RUN ln -sf /proc/self/fd/1 /var/log/nginx/access.log \
&& ln -sf /proc/self/fd/1 /var/log/nginx/stream-access.log \
&& ln -sf /proc/self/fd/2 /var/log/nginx/error.log
RUN mkdir -p /var/lib/nginx \
&& mkdir -p /etc/nginx/secrets \
&& chown -R nginx:0 /etc/nginx \
&& chown -R nginx:0 /var/cache/nginx \
&& chown -R nginx:0 /var/lib/nginx/ \
&& yum -y erase wget \
&& rm /etc/nginx/conf.d/*
EXPOSE 80 443
COPY nginx-ingress internal/configs/version1/nginx-plus.ingress.tmpl internal/configs/version1/nginx-plus.tmpl internal/configs/version2/nginx-plus.virtualserver.tmpl /
USER nginx
ENTRYPOINT ["/nginx-ingress"]
Raw
nginx-plus-ingress-nonroot-centos.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress
namespace: nginx-ingress
spec:
replicas: 3
selector:
matchLabels:
app: nginx-ingress
template:
metadata:
labels:
app: nginx-ingress
spec:
serviceAccountName: nginx-ingress
volumes:
- name: shared-data
emptyDir: {}
- name: ca-chain
secret:
secretName: ca-chain
- name: apigw-client
secret:
secretName: apigw-client
- name: fruit-client
secret:
secretName: fruit-client
containers:
- image: bgautrea/nginx-ingress:1.5.3-centos-nonroot
imagePullPolicy: Always
name: nginx-ingress
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
volumeMounts:
- name: shared-data
mountPath: /etc/nginx/secrets/
- name: ca-chain
mountPath: /etc/nginx/secrets/ca-chain.cert.pem
readOnly: true
subPath: ca-chain.cert.pem
- name: apigw-client
mountPath: /etc/nginx/secrets/client
readOnly: true
subPath: e6wxzf
- name: fruit-client
mountPath: /etc/nginx/secrets/fruit-client.cert
readOnly: true
subPath: tls.crt
- name: fruit-client
mountPath: /etc/nginx/secrets/fruit-client.key
readOnly: true
subPath: tls.key
securityContext:
allowPrivilegeEscalation: true
runAsUser: 999 #nginx
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-plus
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
#- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
- -default-server-tls-secret=$(POD_NAMESPACE)/duck-secret
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
- -report-ingress-status
- -external-service=nginx-ingress
- -enable-leader-election
- -enable-custom-resources
- image: bgautrea/getssl:v3
imagePullPolicy: Always
name: getkey
volumeMounts:
- name: shared-data
mountPath: /etc/nginx/secrets/
env:
- name: KID_ENV
value: 'XXXXXXXXXXXXXXXX'
- name: AKEY_ENV
value: 'XXXXXXXXXXXXXXXX'
command: ["/usr/local/bin/run.sh"]
imagePullSecrets:
- name: regcred
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment