nginx · sjberman · Jun 5, 2025 · Jun 5, 2025 · Jun 5, 2025
@@ -1,29 +1,20 @@
 # syntax=docker/dockerfile:1.16
-# TODO(sberman): the commented out lines are for when we use the published agent release
-# FROM scratch AS nginx-files
+FROM scratch AS nginx-files
 
-# # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
-# ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
-
-FROM golang:alpine AS builder
-
-WORKDIR /tmp
-
-RUN apk add --no-cache git make \
-    && git clone https://github.com/nginx/agent.git \
-    && cd agent \
-    && git checkout 0de3ba3451d8b05cced5eedb744a82db90db7e53 \
-    && make build
+# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
+ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
 
 FROM nginx:1.28.0-alpine-otel
 
+# renovate: datasource=github-tags depName=nginx/agent extractVersion=^v?(?<version>.*)$
+ARG NGINX_AGENT_VERSION=3.0.0
 ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT
 
-# RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
-#     printf "%s\n" "http://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
-#     && apk add --no-cache nginx-agent
+RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
+    printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+    && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION}
 
 RUN apk add --no-cache libcap bash \
     && mkdir -p /usr/lib/nginx/modules \
@@ -33,9 +24,10 @@ RUN apk add --no-cache libcap bash \
     && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
     # Update packages for CVE-2025-32414 and CVE-2025-32415
     && apk --no-cache upgrade libxml2 \
-    && apk del libcap
-
-COPY --from=builder /tmp/agent/build/nginx-agent /usr/bin/nginx-agent
+    && apk del libcap \
+    # forward request and error logs to docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
 
 COPY build/entrypoint.sh /agent/entrypoint.sh
 COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js

@@ -4,19 +4,11 @@ FROM scratch AS nginx-files
 # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
 ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
 
-FROM golang:alpine AS builder
-
-WORKDIR /tmp
-
-RUN apk add --no-cache git make \
-    && git clone https://github.com/nginx/agent.git \
-    && cd agent \
-    && git checkout 0de3ba3451d8b05cced5eedb744a82db90db7e53 \
-    && make build
-
 FROM alpine:3.21
 
 ARG NGINX_PLUS_VERSION=R34
+# renovate: datasource=github-tags depName=nginx/agent extractVersion=^v?(?<version>.*)$
+ARG NGINX_AGENT_VERSION=3.0.0
 ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT
@@ -27,7 +19,10 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
     addgroup -g 1001 -S nginx \
     && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
     && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
-    && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel libcap bash \
+    && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+    && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION}
+
+RUN apk add --no-cache libcap bash \
     && mkdir -p /usr/lib/nginx/modules \
 	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
 	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
@@ -38,8 +33,6 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log
 
-COPY --from=builder /tmp/agent/build/nginx-agent /usr/bin/nginx-agent
-
 COPY build/entrypoint.sh /agent/entrypoint.sh
 COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js
 COPY ${NGINX_CONF_DIR}/nginx-plus.conf /etc/nginx/nginx.conf

@@ -7,7 +7,7 @@ require (
 	github.com/go-logr/logr v1.4.3
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
-	github.com/nginx/agent/v3 v3.0.0-20250530133342-0de3ba3451d8
+	github.com/nginx/agent/v3 v3.0.0
 	github.com/nginx/telemetry-exporter v0.1.4
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0

@@ -137,8 +137,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nginx/agent/v3 v3.0.0-20250530133342-0de3ba3451d8 h1:CHIWBxdGA10EtNnCCwxaI49HvM3rRgWuBiA9moVF7dw=
-github.com/nginx/agent/v3 v3.0.0-20250530133342-0de3ba3451d8/go.mod h1:O/31aKtii/mpiZmFGMcTNDoLtKzwTyTXOBMSRkMaPvs=
+github.com/nginx/agent/v3 v3.0.0 h1:iUAho/Q1qx63CP4Eunf94DmLFOrOe7/r3oCPwy72p7E=
+github.com/nginx/agent/v3 v3.0.0/go.mod h1:O/31aKtii/mpiZmFGMcTNDoLtKzwTyTXOBMSRkMaPvs=
 github.com/nginx/telemetry-exporter v0.1.4 h1:3ikgKlyz/O57oaBLkxCInMjr74AhGTKr9rHdRAkkl/w=
 github.com/nginx/telemetry-exporter v0.1.4/go.mod h1:bl6qmsxgk4a9D0X8R5E3sUNXN2iECPEK1JNbRLhN5C4=
 github.com/nginxinc/nginx-plus-go-client/v2 v2.0.1 h1:5VVK38bnELMDWnwfF6dSv57ResXh9AUzeDa72ENj94o=