fix(api): update kong image to address vulnerability

.github/workflows/mirror-image.yml

@@ -17,7 +17,6 @@ jobs:
   mirror:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       packages: write
       id-token: write
     steps:

internal/start/start.go

@@ -127,7 +127,7 @@ var (
 	//go:embed templates/custom_nginx.template
 	nginxConfigEmbed string
 	// Hardcoded configs which match nginxConfigEmbed
-	nginxEmailTemplateDir   = "/home/kong/templates/email"
+	nginxEmailTemplateDir   = "/etc/kong/templates/email"
 	nginxTemplateServerPort = 8088
 )
 
@@ -400,7 +400,7 @@ EOF
 				Image: utils.Config.Api.KongImage,
 				Env: []string{
 					"KONG_DATABASE=off",
-					"KONG_DECLARATIVE_CONFIG=/home/kong/kong.yml",
+					"KONG_DECLARATIVE_CONFIG=/etc/kong/kong.yml",
 					"KONG_DNS_ORDER=LAST,A,CNAME", // https://github.com/supabase/cli/issues/14
 					"KONG_PLUGINS=request-transformer,cors",
 					fmt.Sprintf("KONG_PORT_MAPS=%d:8000", utils.Config.Api.Port),
@@ -411,14 +411,14 @@ EOF
 					"KONG_NGINX_PROXY_PROXY_BUFFERS=64 160k",
 					"KONG_NGINX_WORKER_PROCESSES=1",
 					// Use modern TLS certificate
-					"KONG_SSL_CERT=/home/kong/localhost.crt",
-					"KONG_SSL_CERT_KEY=/home/kong/localhost.key",
+					"KONG_SSL_CERT=/etc/kong/localhost.crt",
+					"KONG_SSL_CERT_KEY=/etc/kong/localhost.key",
 				},
-				Entrypoint: []string{"sh", "-c", `cat <<'EOF' > /home/kong/kong.yml && \
-cat <<'EOF' > /home/kong/custom_nginx.template && \
-cat <<'EOF' > /home/kong/localhost.crt && \
-cat <<'EOF' > /home/kong/localhost.key && \
-./docker-entrypoint.sh kong docker-start --nginx-conf /home/kong/custom_nginx.template
+				Entrypoint: []string{"sh", "-c", `cat <<'EOF' > /etc/kong/kong.yml && \
+cat <<'EOF' > /etc/kong/custom_nginx.template && \
+cat <<'EOF' > /etc/kong/localhost.crt && \
+cat <<'EOF' > /etc/kong/localhost.key && \
+./docker-entrypoint.sh kong docker-start --nginx-conf /etc/kong/custom_nginx.template
 ` + kongConfigBuf.String() + `
 EOF
 ` + nginxConfigEmbed + `

internal/start/templates/custom_nginx.template

@@ -4,7 +4,14 @@ error_log logs/error.log ${{LOG_LEVEL}}; # can be set by kong.conf
 daemon ${{NGINX_DAEMON}};                     # can be set by kong.conf
 worker_processes ${{NGINX_WORKER_PROCESSES}}; # can be set by kong.conf
 
+# https://github.com/Kong/kong/discussions/9548#discussioncomment-6174906
+lmdb_environment_path dbless.lmdb;
+lmdb_map_size 128m;
+
 events {
+    # Must be greater or equal to the default value of lua_max_pending_timers
+    # https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_max_pending_timers
+    worker_connections 1024;
     multi_accept on;
 }
 
@@ -20,7 +27,7 @@ http {
 
         location /email {
             autoindex on;
-            root /home/kong/templates;
+            root /etc/kong/templates;
         }
     }
 

pkg/config/constants.go

@@ -6,7 +6,7 @@ const (
 	Pg15Image = "supabase/postgres:15.1.1.78"
 	// Append to ServiceImages when adding new dependencies below
 	// TODO: try https://github.com/axllent/mailpit
-	kongImage        = "library/kong:2.8.1"
+	kongImage        = "library/kong:3.8.0"
 	inbucketImage    = "inbucket/inbucket:3.0.3"
 	postgrestImage   = "postgrest/postgrest:v12.2.0"
 	pgmetaImage      = "supabase/postgres-meta:v0.84.2"