Images: Bump Alpine to v3.23.0. (#14249)

Gacko · web-flow · commit b33b02493b74 · 2025-12-08T17:50:09.000+01:00
diff --git a/Makefile b/Makefile
@@ -110,7 +110,7 @@ clean-chroot-image: ## Removes local image
 
 .PHONY: build
 build:  ## Build ingress controller, debug tool and pre-stop hook.
-	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.22 USE_SHELL=/bin/sh build/run-in-docker.sh \
+	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.23 USE_SHELL=/bin/sh build/run-in-docker.sh \
 		MAC_OS=$(MAC_OS) \
 		PKG=$(PKG) \
 		ARCH=$(ARCH) \
diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json
@@ -4,7 +4,7 @@
 			"spec": {
 				"initContainers": [{
 					"name": "sysctl",
-					"image": "alpine:3.22.2",
+					"image": "alpine:3.23.0",
 					"securityContext": {
 						"privileged": true
 					},
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
@@ -861,7 +861,7 @@ It can be enabled using the following annotation:
 ```yaml
 nginx.ingress.kubernetes.io/enable-modsecurity: "true"
 ```
-ModSecurity will run in "Detection-Only" mode using the [recommended configuration](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended).
+ModSecurity will run in "Detection-Only" mode using the [recommended configuration](https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended).
 
 You can enable the [OWASP Core Rule Set](https://www.modsecurity.org/CRS/Documentation/) by
 setting the following annotation:
@@ -883,7 +883,7 @@ nginx.ingress.kubernetes.io/modsecurity-snippet: |
 
 Note: If you use both `enable-owasp-core-rules` and `modsecurity-snippet` annotations together, only the
 `modsecurity-snippet` will take effect. If you wish to include the [OWASP Core Rule Set](https://www.modsecurity.org/CRS/Documentation/) or
-[recommended configuration](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) simply use the include
+[recommended configuration](https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended) simply use the include
 statement:
 
 nginx 0.24.1 and below
diff --git a/docs/user-guide/third-party-addons/modsecurity.md b/docs/user-guide/third-party-addons/modsecurity.md
@@ -1,14 +1,14 @@
 # ModSecurity Web Application Firewall
 
-ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - [https://www.modsecurity.org](https://www.modsecurity.org)
+ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by OWASP. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - [https://www.modsecurity.org](https://www.modsecurity.org)
 
-The [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) connector is the connection point between NGINX and libmodsecurity (ModSecurity v3).
+The [ModSecurity-nginx](https://github.com/owasp-modsecurity/ModSecurity-nginx) connector is the connection point between NGINX and libmodsecurity (ModSecurity v3).
 
 The default ModSecurity configuration file is located in `/etc/nginx/modsecurity/modsecurity.conf`. This is the only file located in this directory and contains the default recommended configuration. Using a volume we can replace this file with the desired configuration.
 To enable the ModSecurity feature we need to specify `enable-modsecurity: "true"` in the configuration configmap.
 
 >__Note:__ the default configuration use detection only, because that minimizes the chances of post-installation disruption.
-Due to the value of the setting [SecAuditLogType=Concurrent](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogtype) the ModSecurity log is stored in multiple files inside the directory `/var/log/audit`.
+Due to the value of the setting [SecAuditLogType=Concurrent](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogtype) the ModSecurity log is stored in multiple files inside the directory `/var/log/audit`.
 The default `Serial` value in SecAuditLogType can impact performance.
 
 The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:3.22.2
+FROM alpine:3.23.0
 
 RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
 RUN apk update \
diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile
@@ -14,7 +14,7 @@
 
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.22 AS builder
+FROM golang:${GOLANG_VERSION}-alpine3.23 AS builder
 
 RUN apk update \
     && apk upgrade && apk add git
diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile
@@ -1,6 +1,6 @@
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.22 AS builder
+FROM golang:${GOLANG_VERSION}-alpine3.23 AS builder
 RUN mkdir /authsvc
 WORKDIR /authsvc
 COPY . ./
diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.22 AS builder
+FROM golang:${GOLANG_VERSION}-alpine3.23 AS builder
 
 WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi
 
diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile
@@ -1,6 +1,6 @@
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.22 AS build
+FROM golang:${GOLANG_VERSION}-alpine3.23 AS build
 
 WORKDIR /go/src/greeter-server
 
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM alpine:3.22.2 AS builder
+FROM alpine:3.23.0 AS builder
 
 COPY . /
 
@@ -21,7 +21,7 @@ RUN apk update \
   && /build.sh
 
 # Use a multi-stage build
-FROM alpine:3.22.2
+FROM alpine:3.23.0
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
@@ -32,10 +32,10 @@ export MORE_HEADERS_VERSION=v0.37
 # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master
 export NGINX_DIGEST_AUTH=v1.0.0
 
-# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.4...master
+# Check for recent changes: https://github.com/owasp-modsecurity/ModSecurity-nginx/compare/v1.0.4...master
 export MODSECURITY_VERSION=v1.0.4
 
-# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.14...v3/master
+# Check for recent changes: https://github.com/owasp-modsecurity/ModSecurity/compare/v3.0.14...v3/master
 export MODSECURITY_LIB_VERSION=v3.0.14
 
 # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.15.0...main
@@ -98,8 +98,8 @@ export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be
 # Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.2.4...main
 export MIMALOC_VERSION=v2.2.4
 
-# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main
-export OPENTELEMETRY_CPP_VERSION=v1.18.0
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.19.0...main
+export OPENTELEMETRY_CPP_VERSION=v1.19.0
 
 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-proto/compare/v1.5.0...main
 export OPENTELEMETRY_PROTO_VERSION=v1.5.0
@@ -211,7 +211,7 @@ get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
         "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest"
 
 get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \
-        "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx"
+        "https://github.com/owasp-modsecurity/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx"
 
 get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \
         "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module"
@@ -336,18 +336,28 @@ make install
 
 # build modsecurity library
 cd "$BUILD_PATH"
-git clone -n https://github.com/SpiderLabs/ModSecurity
+git clone -n https://github.com/owasp-modsecurity/ModSecurity
 cd ModSecurity/
 git checkout $MODSECURITY_LIB_VERSION
 git submodule init
 git submodule update
 
 sh build.sh
 
-# https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762
+# https://github.com/owasp-modsecurity/ModSecurity/issues/1909#issuecomment-465926762
 sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4
 sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4
 
+#
+# As of Alpine v3.23.0, building ModSecurity fails with:
+#
+# headers/modsecurity/collection/collection.h:x:x: error: 'int32_t' has not been declared
+# headers/modsecurity/collection/collection.h:x:x: note: 'int32_t' is defined in header '<cstdint>'; this is probably fixable by adding '#include <cstdint>'
+#
+# Sadly this has not been fixed upstream, yet, so we manually patch it here.
+#
+sed -i '24i #include <cstdint>' headers/modsecurity/collection/collection.h
+
 ./configure \
   --disable-doxygen-doc \
   --disable-doxygen-html \
diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile
@@ -15,7 +15,7 @@ ARG BASE_IMAGE
 ARG GOLANG_VERSION
 ARG ETCD_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.22 AS go
+FROM golang:${GOLANG_VERSION}-alpine3.23 AS go
 FROM registry.k8s.io/etcd:${ETCD_VERSION} AS etcd
 
 FROM ${BASE_IMAGE}
diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot
@@ -23,7 +23,7 @@ RUN apk update \
   && apk upgrade \
   && /chroot.sh
 
-FROM alpine:3.22.2
+FROM alpine:3.23.0
 
 ARG TARGETARCH
 ARG VERSION
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
@@ -1,7 +1,7 @@
 ARG E2E_BASE_IMAGE
 FROM ${E2E_BASE_IMAGE} AS BASE
 
-FROM alpine:3.22.2
+FROM alpine:3.23.0
 
 RUN apk update \
 	&& apk upgrade && apk add -U --no-cache \
