From 606b33b3fe00c1a7956c1a6e5e738eb106e3f341 Mon Sep 17 00:00:00 2001
From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>
Date: Thu, 12 Dec 2024 20:25:38 +0800
Subject: [PATCH] Re-add FIPs images to tests, image patching & release (#6948)

* add fips image to pipeline
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* re-add fips images to patching and release

* add fips images to tech specs

* remove FIPS note from release notes

* switch tests for fips

---------

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>
Co-authored-by: Paul Abel <p.abel@f5.com>
Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Co-authored-by: Venktesh Shivam Patel <ve.patel@f5.com>
---
 .github/config/config-plus-gcr-release   |  6 +++---
 .github/config/config-plus-nginx         |  6 +++---
 .github/data/matrix-smoke-nap.json       |  2 +-
 .github/data/matrix-smoke-plus.json      |  4 ++--
 .github/data/patch-images.json           | 18 ++++++++++++++++++
 site/content/releases.md                 |  8 --------
 site/content/technical-specifications.md |  3 +++
 7 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release
index 175f34cc3d..e1c6d12e01 100644
--- a/.github/config/config-plus-gcr-release
+++ b/.github/config/config-plus-gcr-release
@@ -1,7 +1,7 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-mktpl")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-mktpl")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx
index 0490242f7d..546c636721 100644
--- a/.github/config/config-plus-nginx
+++ b/.github/config/config-plus-nginx
@@ -1,8 +1,8 @@
 export TARGET_REGISTRY=docker-mgmt.nginx.com
 export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 export PUBLISH_OSS=false
diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json
index 39c47a4e03..1d780e7a7d 100644
--- a/.github/data/matrix-smoke-nap.json
+++ b/.github/data/matrix-smoke-nap.json
@@ -18,7 +18,7 @@
     },
     {
       "label": "AP_WAF 3/4",
-      "image": "debian-plus-nap",
+      "image": "alpine-plus-nap-fips",
       "type": "plus",
       "nap_modules": "waf",
       "marker": "appprotect_waf_policies_grpc",
diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json
index b92ba8cfac..572d6e4d8a 100644
--- a/.github/data/matrix-smoke-plus.json
+++ b/.github/data/matrix-smoke-plus.json
@@ -37,7 +37,7 @@
     },
     {
       "label": "ingresses 2/2",
-      "image": "alpine-plus",
+      "image": "alpine-plus-fips",
       "type": "plus",
       "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'",
       "platforms": "linux/arm64, linux/amd64"
@@ -51,7 +51,7 @@
     },
     {
       "label": "VSR 2/3",
-      "image": "alpine-plus",
+      "image": "alpine-plus-fips",
       "type": "plus",
       "marker": "'vsr_basic or vsr_canned or vsr_rewrite or vsr_redirects or vsr_upstream'",
       "platforms": "linux/arm64, linux/amd64"
diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json
index 9bb2490855..b258b2c4ce 100644
--- a/.github/data/patch-images.json
+++ b/.github/data/patch-images.json
@@ -35,6 +35,12 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress",
     "platforms": "linux/arm64, linux/amd64"
   },
+  {
+    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress",
+    "source_os": "alpine-fips",
+    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress",
+    "platforms": "linux/arm64, linux/amd64"
+  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress",
     "source_os": "ubi",
@@ -65,6 +71,12 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress",
     "platforms": "linux/amd64"
   },
+  {
+    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress",
+    "source_os": "alpine-fips",
+    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress",
+    "platforms": "linux/amd64"
+  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress",
     "source_os": "debian",
@@ -83,6 +95,12 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress",
     "platforms": "linux/amd64"
   },
+  {
+    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress",
+    "source_os": "alpine-fips",
+    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress",
+    "platforms": "linux/amd64"
+  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress",
     "source_os": "debian",
diff --git a/site/content/releases.md b/site/content/releases.md
index 6b8aa8c6d4..cbb810d778 100644
--- a/site/content/releases.md
+++ b/site/content/releases.md
@@ -8,14 +8,6 @@ toc: true
 weight: 2100
 
 ---
-{{< note >}}
-FIPS compliant images are currently impacted by compatibility issues with a dependent library.
-
-We recommend against:
-1. Patching older FIPS images, which could re-introduce the incompatible dependency.
-2. Building new custom FIPS images.
-{{< /note >}}
-
 {{< note >}}
 In our next major release, `v4.0.0`, the default log library for NGINX Ingress Controller will be changed from `golang/glog` to `log/slog`.
 This will mean that logs generated by NGINX Ingress Controller will be in a structured format with the option to choose a `string` or `json` output.
diff --git a/site/content/technical-specifications.md b/site/content/technical-specifications.md
index 4bab37dac3..554569285c 100644
--- a/site/content/technical-specifications.md
+++ b/site/content/technical-specifications.md
@@ -74,6 +74,9 @@ NGINX Plus images are available through the F5 Container registry `private-regis
 |<div style="width:200px">Name</div> | <div style="width:100px">Base image</div> | <div style="width:200px">Third-party modules</div> | F5 Container Registry Image | Architectures |
 | ---| ---| --- | --- | --- |
 |Alpine-based image | ``alpine:3.20`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64<br>amd64 |
+|Alpine-based image with FIPS inside | ``alpine:3.20`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64<br>amd64 |
+|Alpine-based image with NGINX App Protect WAF & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64<br>amd64 |
+|Alpine-based image with NGINX App Protect WAF v5 & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF v5<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64<br>amd64 |
 |Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64<br>amd64 |
 |Debian-based image with NGINX App Protect WAF | ``debian:12-slim`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}` | amd64 |
 |Debian-based image with NGINX App Protect WAF v5 | ``debian:12-slim`` | NGINX App Protect WAF v5<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}` | amd64 |