add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks

[grounded042]

What this PR does / why we need it:

In #11037 the base image was changed from registry.k8s.io/ingress-nginx/nginx to registry.k8s.io/ingress-nginx/nginx-1.25. This removed many patches to nginx which were previously included from the https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx/rootfs/patches directory.

This PR adds openresty patches to the nginx-1.25 base image.

I originally opened this PR because of SSL patches, but in a Slack discussion
it was determined that including almost all patches openresty had for 1.25.3
was the best patch forward. Note that I did not include header and footer
patches which change headers and footers from nginx to openresty.

I renamed the patches to order them numerically as the don't apply correctly
if they are not applied in order.

I did not include the following patches:

• builtin_error_page_footer.patch since we don't want to patch in openresty to footers
• server_header.patch since we don't want to patch in openresty to headers
• setting_args_invalidates_uri.patch as it's not needed after nginx 1.7.1
• hash_overflow.patch as it's not needed after nginx 1.7.7
• no_pool.patch as we don't want to disable the nginx memory pool

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• CVE Report (Scanner found CVE and adding report)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

I tested this locally via a simple nginx configuration. Before adding in the needed patches the ssl_client_hello_by_lua_block and ssl_certificate_by_lua_block would cause errors during SSL_connect (eg. OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443). After the patches were added no errors would occur.

error_log stderr info;

events {}
http {
	access_log stdout;

	# use docker embedded DNS
	resolver 127.0.0.11;

	server {
		listen 80;
		listen 443 ssl;

		ssl_certificate     /certs/rsa.crt;
		ssl_certificate_key /certs/rsa.key;

		ssl_client_hello_by_lua_block {
			ngx.log(ngx.INFO, "running: ssl_client_hello_by_lua_block")
			
			local http = require("resty.http")
			local httpc = http.new()
			httpc:set_timeout(1000)

			local res, err = httpc:request_uri("http://sidecar:8945", {
			  method = "GET",
			})
			if not res then
			  ngx.log(ngx.ERR, "client hello sidecar request failed: ", err)
			  return
			end
			
			ngx.log(ngx.INFO, "client hello sidecar request worked. got status code: ", res.status)
		}

		ssl_certificate_by_lua_block {
			ngx.log(ngx.INFO, "running: ssl_certificate_by_lua_block")
			
			local http = require("resty.http")
			local httpc = http.new()
			httpc:set_timeout(1000)

			local res, err = httpc:request_uri("http://sidecar:8945", {
			  method = "GET",
			})
			if not res then
			  ngx.log(ngx.ERR, "cert sidecar request failed: ", err)
			  return
			end
			
			ngx.log(ngx.INFO, "cert sidecar request worked. got status code: ", res.status)
		}

		location / {
			return 200 'hello, world';
		}
	}
}

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added unit and/or e2e tests to cover my changes.
• All new and existing tests passed.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: grounded042 / name: Jon Carl (8607c89, 016a4bf)

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

Welcome @grounded042!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @grounded042. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[netlify]

✅ Deploy Preview for kubernetes-ingress-nginx ready!

Name	Link
🔨 Latest commit	8607c89
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/66820f00c2f9740008820dcc
😎 Deploy Preview	https://deploy-preview-11485--kubernetes-ingress-nginx.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[Gacko]

/cc @strongjz
/uncc @Gacko

[tao12345666333]

/assign

[tao12345666333]

Thank you! You are right. When we upgraded the NGINX, we did not synchronize all patches.

[grounded042]

@tao12345666333 as we talked about in Slack I've updated this PR to include 1.25.3 patches from openresty. I've updated the description with these details as well, but some notes:

I renamed the patches to order them numerically as the don't apply correctly if they are not applied in order.

I did not include the following patches:

• builtin_error_page_footer.patch since we don't want to patch in openresty to footers
• server_header.patch since we don't want to patch in openresty to headers
• setting_args_invalidates_uri.patch as it's not needed after nginx 1.7.1
• hash_overflow.patch as it's not needed after nginx 1.7.7
• no_pool.patch as we don't want to disable the nginx memory pool

[tao12345666333]

Thank you! Let me take a look

[tao12345666333]

Thank you!

/ok-to-test

[tao12345666333]

I'll merge this first, then initiate a new NGINX build. After that, we can verify if everything is working properly.

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grounded042, tao12345666333

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [tao12345666333]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Gacko]

/cherry-pick release-1.10
/cherry-pick release-1.11

[k8s-infra-cherrypick-robot]

@Gacko: new pull request created: #11534

In response to this:

/cherry-pick release-1.10
/cherry-pick release-1.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Gacko]

/cherry-pick release-1.11

[k8s-infra-cherrypick-robot]

@Gacko: new pull request created: #11535

In response to this:

/cherry-pick release-1.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.