Cherry pick 3.4.1 (#4886)

* fix release script for helm (#4810) Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> * Test jobs further refactor (#4820) * Fix AWS registry (#4825) * Don't push Marketplace images (#4827) * Add the ability to have Nginx version checks in templates (#4831) Add the ability to add version dependent template elements * Add trigger for GCP Marketplace repo (#4829) * Add automatic push to GCP Marketplace (#4828) * Update N+ to R31 (#4850) * Bump the go group with 3 updates (#4846) Bumps the go group with 3 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) and [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.1 to 1.26.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.26.1...config/v1.26.2) Updates `github.com/go-chi/chi/v5` from 5.0.10 to 5.0.11 - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](go-chi/chi@v5.0.10...v5.0.11) Updates `github.com/prometheus/client_golang` from 1.17.0 to 1.18.0 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/go-chi/chi/v5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Report User Agent for Alpine and UBI (#4845) * Bump the go group with 2 updates (#4873) Bumps the go group with 2 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/marketplacemetering](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.2 to 1.26.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.26.2...config/v1.26.3) Updates `github.com/aws/aws-sdk-go-v2/service/marketplacemetering` from 1.19.5 to 1.19.6 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/mq/v1.19.5...service/efs/v1.19.6) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/marketplacemetering dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> * Update UBI string for new images (#4893) * Bump the go group with 1 update (#4905) Bumps the go group with 1 update: [github.com/nginxinc/nginx-prometheus-exporter](https://github.com/nginxinc/nginx-prometheus-exporter). Updates `github.com/nginxinc/nginx-prometheus-exporter` from 1.0.0 to 1.1.0 - [Release notes](https://github.com/nginxinc/nginx-prometheus-exporter/releases) - [Changelog](https://github.com/nginxinc/nginx-prometheus-exporter/blob/main/CHANGELOG.md) - [Commits](nginxinc/nginx-prometheus-exporter@v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: github.com/nginxinc/nginx-prometheus-exporter dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> * patch base images on container build (#4869) --------- Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Co-authored-by: Luca Comellini <luca.com@gmail.com> Co-authored-by: oseoin <oseoin@users.noreply.github.com> Co-authored-by: Venktesh Shivam Patel <ve.patel@f5.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
nginxinc · Jan 12, 2024 · a376068 · a376068
1 parent c36901c
commit a376068
Show file tree

Hide file tree

Showing 19 changed files with 393 additions and 86 deletions.
diff --git a/.github/scripts/release-version-update.sh b/.github/scripts/release-version-update.sh
@@ -55,6 +55,9 @@ echo "Updating versions: "
 echo "ic_version: ${current_ic_version} -> ${ic_version}"
 echo "helm_chart_version: ${current_helm_chart_version} -> ${helm_chart_version}"
 
+regex_ic="s#$current_ic_version#$ic_version#g"
+regex_helm="s#$current_helm_chart_version#$helm_chart_version#g"
+
 mv "${HELM_CHART_PATH}/values.schema.json" "${TMPDIR}/"
 jq --arg version "${ic_version}" \
     '.properties.controller.properties.image.properties.tag.default = $version | .properties.controller.properties.image.properties.tag.examples[0] = $version | .properties.controller.examples[0].image.tag = $version | .properties.controller.properties.image.examples[0].tag = $version | .examples[0].controller.image.tag = $version' \
@@ -74,8 +77,7 @@ for i in "${FILES_TO_UPDATE_IC_VERSION[@]}"; do
     fi
     file_name=$(basename "${i}")
     mv "${i}" "${TMPDIR}/${file_name}"
-    regex="s#$current_ic_version#$ic_version#g"
-    cat "${TMPDIR}/${file_name}" | sed -e "$regex" > "${i}"
+    cat "${TMPDIR}/${file_name}" | sed -e "$regex_ic" > "${i}"
     if [ $? -ne 0 ]; then
         echo "ERROR: failed processing ${i}"
         mv "${TMPDIR}/${file_name}" "${i}"
@@ -90,8 +92,7 @@ for i in "${FILE_TO_UPDATE_HELM_CHART_VERSION[@]}"; do
     fi
     file_name=$(basename "${i}")
     mv "${i}" "${TMPDIR}/${file_name}"
-    regex="s#$current_ic_version#$ic_version#g"
-    cat "${TMPDIR}/${file_name}" | sed -e "$regex" > "${i}"
+    cat "${TMPDIR}/${file_name}" | sed -e "$regex_helm" > "${i}"
     if [ $? -ne 0 ]; then
         echo "ERROR: failed processing ${i}"
         mv "${TMPDIR}/${file_name}" "${i}"
@@ -107,8 +108,7 @@ for i in ${docs_files}; do
     fi
     file_name=$(basename "${i}")
     mv "${i}" "${TMPDIR}/${file_name}"
-    regex="s#$current_ic_version#$ic_version#g"
-    cat "${TMPDIR}/${file_name}" | sed -e "$regex" > "${i}"
+    cat "${TMPDIR}/${file_name}" | sed -e "$regex_ic" | sed -e "$regex_helm" > "${i}"
     if [ $? -ne 0 ]; then
         echo "ERROR: failed processing ${i}"
         mv "${TMPDIR}/${file_name}" "${i}"

diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
@@ -71,6 +71,23 @@ jobs:
           password: ${{ steps.auth.outputs.access_token }}
         if: github.event_name != 'pull_request'
 
+      - name: Authenticate to Google Cloud Marketplace
+        id: auth-mktpl
+        uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }}
+        if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws')
+
+      - name: Login to GCR for Marketplace
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth-mktpl.outputs.access_token }}
+        if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws')
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
@@ -107,7 +124,8 @@ jobs:
         with:
           images: |
             name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress
-            name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress,enable=${{ github.ref_type != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
+            name=gcr.io/f5-7626-networks-public/nginxinc/nginx-plus-ingress${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }},enable=${{ github.ref_type == 'tag' && ! contains(inputs.target, 'aws') && ! contains(inputs.image, 'alpine') && ! contains(inputs.image, 'ubi') }}
+            name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ github.ref_type != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! contains(inputs.target, 'aws') }}
             name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }}
           flavor: |
             suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}},onlatest=true
@@ -161,7 +179,7 @@ jobs:
       - name: AWS variables
         id: aws
         run: |
-          aws_registry=$(echo "${{ steps.meta.outputs.tags }}" | grep -oP "709825985650.dkr.ecr.us-east-1.amazonaws.com/[^[:space:]]+")
+          aws_registry=$(echo "${{ steps.meta.outputs.tags }}" | grep -oP "709825985650.dkr.ecr.us-east-1.amazonaws.com/[^[:space:]]+:${{ steps.meta.outputs.version }}")
           version=$(echo ${{ steps.meta.outputs.version }} | sed 's/-mktpl//')
           declare -A nap_mapping=(
               ["waf"]=_NAP_WAF

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -282,18 +282,17 @@ jobs:
                                                 {\"image\": \"alpine\", \"marker\":\"'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'\"}, \
                                                 {\"image\": \"alpine\", \"marker\":\"'policies_rl or policies_ac or policies_jwt or policies_mtls'\"}, \
                                                 {\"image\": \"debian\", \"marker\": \"'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'\"}, \
-                                                {\"image\": \"debian\", \"marker\": \"'vs_ipv6 or vs_rewrite or vs_responses or vs_grpc or vs_redirects or vs_externalname or vs_externaldns or vs_certmanager'\"}, \
-                                                {\"image\": \"debian\", \"marker\": \"'vs_certmanager'\"}, \
+                                                {\"image\": \"debian\", \"marker\": \"'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'\"}, \
+                                                {\"image\": \"debian\", \"marker\": \"'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'\"}, \
                                                 {\"image\": \"ubi\", \"marker\": \"ts\"}, \
                                                 {\"image\": \"debian-plus\", \"marker\": \"'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'\"}, \
-                                                {\"image\": \"debian-plus\", \"marker\": \"'vs_ipv6 or vs_rewrite or vs_responses or vs_grpc or vs_redirects or vs_externalname or vs_externaldns or vs_certmanager'\"}, \
-                                                {\"image\": \"debian-plus\", \"marker\": \"vs_certmanager\"}, \
+                                                {\"image\": \"debian-plus\", \"marker\": \"'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'\"}, \
+                                                {\"image\": \"debian-plus\", \"marker\": \"'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'\"}, \
                                                 {\"image\": \"debian-plus\", \"marker\": \"ts\"}, \
                                                 {\"image\": \"alpine-plus\", \"marker\":\"ingresses\"}, \
                                                 {\"image\": \"alpine-plus\", \"marker\": \"vsr\"}, \
-                                                {\"image\": \"ubi-plus\", \"marker\":\"'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'\"}, \
-                                                {\"image\": \"ubi-plus\", \"marker\":\"'policies_rl or policies_ac or policies_jwt or policies_mtls'\"}, \
-                                                {\"image\": \"debian-plus-nap\", \"marker\": \"appprotect_integration\"}, \
+                                                {\"image\": \"ubi-plus\", \"marker\":\"'policies and not policies_ac and not policies_jwt and not policies_mtls'\"}, \
+                                                {\"image\": \"ubi-plus\", \"marker\":\"'policies_ac or policies_jwt or policies_mtls'\"}, \
                                                 {\"image\": \"debian-plus-nap\", \"marker\": \"appprotect_waf_policies_allow\"}, \
                                                 {\"image\": \"debian-plus-nap\", \"marker\": \"'appprotect_waf_policies and not appprotect_waf_policies_allow'\"}, \
                                                 {\"image\": \"debian-plus-nap\", \"marker\": \"appprotect_waf_policies_grpc\"}, \
@@ -502,3 +501,24 @@ jobs:
               },
             })
     if: github.ref_type == 'tag'
+
+  gcp-marketplace:
+    name: Trigger PR for GCP Marketplace
+    runs-on: ubuntu-22.04
+    needs: [checks, publish-helm]
+    steps:
+      - name:
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.NGINX_PAT }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: 'kubernetes-ingress-gcp',
+              workflow_id: 'sync-chart.yml',
+              ref: 'main',
+              inputs: {
+                chart_version: '${{ needs.checks.outputs.chart_version }}'
+              },
+            })
+    if: github.ref_type == 'tag'
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,7 +1,8 @@
 # syntax=docker/dockerfile:1.6
 ARG BUILD_OS=debian
-ARG NGINX_PLUS_VERSION=R30
+ARG NGINX_PLUS_VERSION=R31
 ARG DOWNLOAD_TAG=edge
+ARG DEBIAN_FRONTEND=noninteractive
 
 
 ############################################# Base images containing libs for Opentracing and FIPS #############################################
@@ -15,16 +16,19 @@ FROM nginx:1.25.3-alpine AS alpine
 
 RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 	apk add --no-cache libcap libstdc++ \
+	&& apk upgrade --no-cache -U \
 	&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
 	&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
-	&& ldconfig /usr/local/lib/
+	&& ldconfig /usr/local/lib/ \
+	&& apk cache clean
 
 
 ############################################# Base image for Debian #############################################
 FROM nginx:1.25.3 AS debian
 
 RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
 	apt-get update \
+	&& apt-get upgrade -y \
 	&& apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
@@ -47,6 +51,8 @@ LABEL name="NGINX Ingress Controller" \
 	io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift"
 
 COPY --link --chown=101:0 LICENSE /licenses/
+RUN microdnf update -y \
+	&& microdnf clean all
 
 
 ############################################# NGINX files for NGINX Plus #############################################
@@ -69,9 +75,11 @@ ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/m
 ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-waf-debian-11.repo nap-waf-11.sources
 ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-dos-debian-11.repo nap-dos-11.sources
 
-RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt\";" >> 90pkgs-nginx \
+RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \
+	&& printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \
 	&& sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" *.sources \
-	&& sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo
+	&& sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo \
+	&& echo HTTP_USER_AGENT="k8s-ic-$IC_VERSION${BUILD_OS##alpine-plus}-apk" > user_agent
 
 
 ############################################# Base image for Alpine with NGINX Plus #############################################
@@ -82,10 +90,14 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
 	--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 	--mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
-	printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	--mount=type=bind,from=nginx-files,src=user_agent,target=/tmp/user_agent \
+	export $(cat /tmp/user_agent) \
+	&& printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& apk upgrade --no-cache -U \
 	&& apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \
 	&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
-	&& ldconfig /usr/local/lib/
+	&& ldconfig /usr/local/lib/ \
+	&& apk cache clean
 
 
 ############################################# Base image for Alpine with NGINX Plus and FIPS #############################################
@@ -109,6 +121,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	--mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \
 	--mount=type=bind,from=nginx-files,src=debian-plus-12.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \
 	apt-get update \
+	&& apt-get upgrade -y \
 	&& apt-get install --no-install-recommends --no-install-suggests -y sq ca-certificates libcap2-bin libcurl4 \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
@@ -136,6 +149,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	--mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/etc/apt/sources.list.d/app-protect-dos.sources \
 	## the code below is duplicated from the debian-plus image because NAP doesn't support debian 12
 	apt-get update \
+	&& apt-get upgrade -y \
 	&& apt-get install --no-install-recommends --no-install-suggests -y ca-certificates sq \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
@@ -171,6 +185,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	--mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
 	--mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \
 	microdnf --nodocs install -y shadow-utils \
+	&& microdnf update -y \
 	&& cat /etc/yum.repos.d/nginx-plus.repo \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
@@ -195,6 +210,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	source /tmp/rhel_license \
 	## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI 9 and minimal versions
 	dnf --nodocs install -y shadow-utils ca-certificates \
+	&& dnf update -y \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
 	&& rpm --import /tmp/nginx_signing.key \

diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -79,7 +79,7 @@ func main() {
 		appProtectVersion = getAppProtectVersionInfo()
 	}
 
-	updateSelfWithVersionInfo(kubeClient, version, nginxVersion, appProtectVersion)
+	updateSelfWithVersionInfo(kubeClient, version, nginxVersion.String(), appProtectVersion)
 
 	templateExecutor, templateExecutorV2 := createTemplateExecutors()
 
@@ -118,6 +118,7 @@ func main() {
 		EnableCertManager:              *enableCertManager,
 		DynamicSSLReload:               *enableDynamicSSLReload,
 		StaticSSLPath:                  nginxManager.GetSecretsDir(),
+		NginxVersion:                   nginxVersion,
 	}
 
 	processNginxConfig(staticCfgParams, cfgParams, templateExecutor, nginxManager)
@@ -146,6 +147,7 @@ func main() {
 		IsPrometheusEnabled:       *enablePrometheusMetrics,
 		IsLatencyMetricsEnabled:   *enableLatencyMetrics,
 		IsDynamicSSLReloadEnabled: *enableDynamicSSLReload,
+		NginxVersion:              nginxVersion,
 	})
 
 	controllerNamespace := os.Getenv("POD_NAMESPACE")
@@ -400,17 +402,16 @@ func createNginxManager(managerCollector collectors.ManagerCollector) (nginx.Man
 	return nginxManager, useFakeNginxManager
 }
 
-func getNginxVersionInfo(nginxManager nginx.Manager) string {
-	nginxVersion := nginxManager.Version()
-	isPlus := strings.Contains(nginxVersion, "plus")
-	glog.Infof("Using %s", nginxVersion)
+func getNginxVersionInfo(nginxManager nginx.Manager) nginx.Version {
+	nginxInfo := nginxManager.Version()
+	glog.Infof("Using %s", nginxInfo.String())
 
-	if *nginxPlus && !isPlus {
+	if *nginxPlus && !nginxInfo.IsPlus {
 		glog.Fatal("NGINX Plus flag enabled (-nginx-plus) without NGINX Plus binary")
-	} else if !*nginxPlus && isPlus {
+	} else if !*nginxPlus && nginxInfo.IsPlus {
 		glog.Fatal("NGINX Plus binary found without NGINX Plus flag (-nginx-plus)")
 	}
-	return nginxVersion
+	return nginxInfo
 }
 
 func getAppProtectVersionInfo() string {

diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md
@@ -60,7 +60,7 @@ _All images include NGINX 1.25.2._
 
 ### Images with NGINX Plus
 
-_NGINX Plus images include NGINX Plus R30._
+_NGINX Plus images include NGINX Plus R31._
 
 #### **F5 Container registry**