From 98843edcabf8135142728f986f8a7739dc82e04c Mon Sep 17 00:00:00 2001
From: Mark McCormick <mark.mccormick@chainguard.dev>
Date: Wed, 9 Oct 2024 22:14:16 +0100
Subject: [PATCH] Upgrade nginx dependencies git SHAs and versions

Signed-off-by: Mark McCormick <mark.mccormick@chainguard.dev>
---
 ingress-nginx-controller-1.11.yaml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/ingress-nginx-controller-1.11.yaml b/ingress-nginx-controller-1.11.yaml
index f6f424b13a..fc3a950690 100644
--- a/ingress-nginx-controller-1.11.yaml
+++ b/ingress-nginx-controller-1.11.yaml
@@ -2,6 +2,7 @@
 package:
   name: ingress-nginx-controller-1.11
   version: 1.11.3
+  # There are manual changes to review between each package update. See 'vars:' section.
   epoch: 0
   description: "Ingress-NGINX Controller for Kubernetes"
   copyright:
@@ -126,19 +127,28 @@ environment:
       - zlib-dev
 
 vars:
+  # These environment variables need updated for each new release. Retrieve their
+  # correct values from here, replacing <package-version> with the package version.
+  #   - https://github.com/kubernetes/ingress-nginx/blob/controller-v<package-version>/images/nginx/rootfs/build.sh
+  # On occasion, these versions may be bumped ahead of upstream (above link), to
+  # remediate vulnerabilities.
   NGINX_VERSION: "1.25.5"
   NDK_VERSION: "0.3.3"
   SETMISC_VERSION: "0.33"
   MORE_HEADERS_VERSION: "0.37"
   NGINX_DIGEST_AUTH: "1.0.0"
   NGINX_SUBSTITUTIONS: "e12e965ac1837ca709709f9a26f572a54d83430e"
-  MODSECURITY_NGINX_VERSION: "ef64996aedd4bb5fa1831631361244813d48b82f"
   OWASP_MODSECURITY_CRS_VERSION: "v4.4.0"
   LUA_NGX_VERSION: "0.10.27"
   LUA_STREAM_NGX_VERSION: "0.0.15"
   LUA_UPSTREAM_VERSION: "542be0893543a4e42d89f6dd85372972f5ff2a36"
   GEOIP2_VERSION: "a607a41a8115fecfc05b5c283c81532a3d605425"
+  # Does not do versioning, and repo is seldom updated. Grab the latest master
+  # branch git commit SHA: https://github.com/google/ngx_brotli/commits/master
   NGX_BROTLI_SHA: 63ca02abdcf79c9e788d2eedcc388d2335902e52
+  # TODO: ModSecurity-nginx needs a release beyond v1.0.3 to work properly
+  # see https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/324
+  MODSECURITY_NGINX_VERSION: "ef64996aedd4bb5fa1831631361244813d48b82f"
 
 pipeline:
   - uses: git-checkout
@@ -147,13 +157,11 @@ pipeline:
       tag: controller-v${{package.version}}
       expected-commit: f6456ea86c6c330e7cf401ade70ce1faa757265b
 
-  # TODO: ModSecurity-nginx needs a release beyond v1.0.3 to work properly
-  # see https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/324
   - uses: git-checkout
     with:
       repository: https://github.com/owasp-modsecurity/ModSecurity-nginx
       branch: master
-      expected-commit: f6456ea86c6c330e7cf401ade70ce1faa757265b
+      expected-commit: ${{vars.MODSECURITY_NGINX_VERSION}}
       destination: ModSecurity-nginx-${{vars.MODSECURITY_NGINX_VERSION}}
 
   - name: Build ingress-nginx controller from source
@@ -529,6 +537,7 @@ subpackages:
 
 update:
   enabled: true
+  manual: true
   github:
     identifier: kubernetes/ingress-nginx
     strip-prefix: controller-v