Skip to content

Commit 4e5fb77

Browse files
pdabelf5pdabelf5
authored
Migrate NGINX Plus secrets to Azure Vault (#8517)
1 parent 1ca073d commit 4e5fb77

File tree

5 files changed

+189
-32
lines changed

5 files changed

+189
-32
lines changed

.github/workflows/build-base-images.yml

Lines changed: 70 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,30 @@ jobs:
122122
- name: Checkout Repository
123123
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
124124

125+
- name: Azure login
126+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
127+
with:
128+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
129+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
130+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
131+
132+
- name: Setup secrets
133+
id: secrets
134+
run: |
135+
echo "Setting secrets for job"
136+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
137+
echo "::add-mask::$PLUS_CREDS"
138+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
139+
while read -r line; do
140+
echo "::add-mask::${line}"
141+
done <<< "${CERT}"
142+
echo $CERT > nginx-repo.crt
143+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
144+
while read -r line; do
145+
echo "::add-mask::${line}"
146+
done <<< "${KEY}"
147+
echo $KEY > nginx-repo.key
148+
125149
- name: Docker Buildx
126150
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
127151

@@ -171,9 +195,14 @@ jobs:
171195
build-args: |
172196
BUILD_OS=${{ matrix.image }}
173197
IC_VERSION=${{ needs.checks.outputs.ic_version }}
174-
secrets: |
175-
"nginx-repo.crt=${{ secrets.NGINX_CRT }}"
176-
"nginx-repo.key=${{ secrets.NGINX_KEY }}"
198+
secret-files: |
199+
nginx-repo.crt=nginx-repo.crt
200+
nginx-repo.key=nginx-repo.key
201+
202+
- name: Clean up secrets
203+
run: |
204+
rm -f nginx-repo.crt nginx-repo.key
205+
if: always()
177206

178207
build-plus-nap:
179208
name: Build Plus NAP base images
@@ -190,6 +219,35 @@ jobs:
190219
- name: Checkout Repository
191220
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
192221

222+
- name: Azure login
223+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
224+
with:
225+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
226+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
227+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
228+
229+
- name: Setup secrets
230+
id: secrets
231+
run: |
232+
echo "Setting secrets for job"
233+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
234+
echo "::add-mask::$PLUS_CREDS"
235+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
236+
while read -r line; do
237+
echo "::add-mask::${line}"
238+
done <<< "${CERT}"
239+
echo $CERT > nginx-repo.crt
240+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
241+
while read -r line; do
242+
echo "::add-mask::${line}"
243+
done <<< "${KEY}"
244+
echo $KEY > nginx-repo.key
245+
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
246+
while read -r line; do
247+
echo "::add-mask::${line}"
248+
done <<< "${RHEL_CREDS}"
249+
echo $RHEL_CREDS > rhel_license
250+
193251
- name: Docker Buildx
194252
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
195253

@@ -242,7 +300,12 @@ jobs:
242300
BUILD_OS=${{ matrix.image }}
243301
IC_VERSION=${{ needs.checks.outputs.ic_version }}
244302
NAP_MODULES=${{ matrix.nap_modules }}
245-
secrets: |
246-
"nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}"
247-
"nginx-repo.key=${{ secrets.NGINX_AP_KEY }}"
248-
${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
303+
secret-files: |
304+
nginx-repo.crt=nginx-repo.crt
305+
nginx-repo.key=nginx-repo.key
306+
${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
307+
308+
- name: Clean up secrets
309+
run: |
310+
rm -f nginx-repo.crt nginx-repo.key rhel_license
311+
if: always()

.github/workflows/build-plus.yml

Lines changed: 44 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,37 @@ jobs:
6363
ref: ${{ inputs.branch }}
6464
fetch-depth: 0
6565

66+
- name: Azure login
67+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
68+
with:
69+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
70+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
71+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
72+
if: ${{ inputs.authenticated }}
73+
74+
- name: Setup secrets
75+
id: secrets
76+
run: |
77+
echo "Setting secrets for job"
78+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$PLUS_CREDS"
80+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
81+
while read -r line; do
82+
echo "::add-mask::${line}"
83+
done <<< "${CERT}"
84+
echo $CERT > nginx-repo.crt
85+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
86+
while read -r line; do
87+
echo "::add-mask::${line}"
88+
done <<< "${KEY}"
89+
echo $KEY > nginx-repo.key
90+
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
91+
while read -r line; do
92+
echo "::add-mask::${line}"
93+
done <<< "${RHEL_CREDS}"
94+
echo $RHEL_CREDS > rhel_license
95+
if: ${{ inputs.authenticated }}
96+
6697
- name: Authenticate to Google Cloud
6798
id: auth
6899
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -154,10 +185,10 @@ jobs:
154185
BUILD_OS=${{ inputs.image }}
155186
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
156187
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
157-
secrets: |
158-
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
159-
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
160-
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
188+
secret-files: |
189+
nginx-repo.crt=nginx-repo.crt
190+
nginx-repo.key=nginx-repo.key
191+
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
161192
if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }}
162193

163194
- name: Debug values
@@ -199,10 +230,10 @@ jobs:
199230
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
200231
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
201232
${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
202-
secrets: |
203-
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
204-
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
205-
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
233+
secret-files: |
234+
nginx-repo.crt=nginx-repo.crt
235+
nginx-repo.key=nginx-repo.key
236+
${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
206237
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
207238

208239
- name: Make directory for security scan results
@@ -222,3 +253,8 @@ jobs:
222253
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
223254
summary: true
224255
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
256+
257+
- name: Clean up secrets
258+
run: |
259+
rm -f nginx-repo.crt nginx-repo.key rhel_license
260+
if: always()

.github/workflows/build-single-image.yml

Lines changed: 33 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -79,17 +79,35 @@ jobs:
7979
username: oauth2accesstoken
8080
password: ${{ steps.auth.outputs.access_token }}
8181

82-
- name: Setup plus credentials
82+
- name: Azure login
83+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
84+
with:
85+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
86+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
87+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
88+
if: ${{ contains(inputs.target, 'plus') }}
89+
90+
- name: Setup secrets
91+
id: secrets
8392
run: |
84-
printf '%s\n' "${CERT}" > nginx-repo.crt
85-
printf '%s\n' "${KEY}" > nginx-repo.key
86-
if [[ "${{ inputs.target }}" =~ ubi ]]; then
87-
printf '%s\n' "${RHEL}" > rhel_license
88-
fi
89-
env:
90-
CERT: ${{ secrets.NGINX_CRT }}
91-
KEY: ${{ secrets.NGINX_KEY }}
92-
RHEL: ${{ secrets.RHEL_LICENSE }}
93+
echo "Setting secrets for job"
94+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
95+
echo "::add-mask::$PLUS_CREDS"
96+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
97+
while read -r line; do
98+
echo "::add-mask::${line}"
99+
done <<< "${CERT}"
100+
echo $CERT > nginx-repo.crt
101+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
102+
while read -r line; do
103+
echo "::add-mask::${line}"
104+
done <<< "${KEY}"
105+
echo $KEY > nginx-repo.key
106+
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
107+
while read -r line; do
108+
echo "::add-mask::${line}"
109+
done <<< "${RHEL_CREDS}"
110+
echo $RHEL_CREDS > rhel_license
93111
if: ${{ contains(inputs.target, 'plus') }}
94112

95113
- name: Fetch Cached Binary Artifacts
@@ -134,3 +152,8 @@ jobs:
134152
REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
135153
PREFIX: ${{ inputs.prefix }}
136154
TAG: ${{ inputs.tag }}
155+
156+
- name: Clean up secrets
157+
run: |
158+
rm -f nginx-repo.crt nginx-repo.key rhel_license
159+
if: always()

.github/workflows/ci.yml

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -473,6 +473,16 @@ jobs:
473473
PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt')
474474
echo "::add-mask::$PLUS_JWT"
475475
echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT
476+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
477+
while read -r line; do
478+
echo "::add-mask::${line}"
479+
done <<< "${CERT}"
480+
echo $CERT > nginx-repo.crt
481+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
482+
while read -r line; do
483+
echo "::add-mask::${line}"
484+
done <<< "${KEY}"
485+
echo $KEY > nginx-repo.key
476486
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
477487

478488
- name: Authenticate to Google Cloud
@@ -529,9 +539,9 @@ jobs:
529539
build-args: |
530540
BUILD_OS=${{ matrix.base-os }}
531541
IC_VERSION=CI
532-
secrets: |
533-
${{ matrix.type == 'plus' && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
534-
${{ matrix.type == 'plus' && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
542+
secret-files: |
543+
${{ matrix.type == 'plus' && 'nginx-repo.crt=nginx-repo.crt' || '' }}
544+
${{ matrix.type == 'plus' && 'nginx-repo.key=nginx-repo.key' || '' }}
535545
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
536546

537547
- name: Deploy Kubernetes
@@ -590,6 +600,11 @@ jobs:
590600
done
591601
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
592602

603+
- name: Clean up secrets
604+
run: |
605+
rm -f nginx-repo.crt nginx-repo.key
606+
if: always()
607+
593608
setup-matrix:
594609
if: ${{ inputs.force || (inputs.run_tests && inputs.run_tests || true) || needs.checks.outputs.docs_only != 'true' }}
595610
name: Setup Matrix for Smoke Tests

.github/workflows/setup-smoke.yml

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,21 @@ jobs:
7878
PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt')
7979
echo "::add-mask::$PLUS_JWT"
8080
echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT
81+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
82+
while read -r line; do
83+
echo "::add-mask::${line}"
84+
done <<< "${CERT}"
85+
echo $CERT > nginx-repo.crt
86+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
87+
while read -r line; do
88+
echo "::add-mask::${line}"
89+
done <<< "${KEY}"
90+
echo $KEY > nginx-repo.key
91+
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
92+
while read -r line; do
93+
echo "::add-mask::${line}"
94+
done <<< "${RHEL_CREDS}"
95+
echo $RHEL_CREDS > rhel_license
8196
if: ${{ inputs.authenticated }}
8297

8398
- name: Authenticate to Google Cloud
@@ -163,10 +178,10 @@ jobs:
163178
IC_VERSION=CI
164179
${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
165180
${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
166-
secrets: |
167-
${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }}
168-
${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }}
169-
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
181+
secret-files: |
182+
nginx-repo.crt=nginx-repo.crt
183+
nginx-repo.key=nginx-repo.key
184+
${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
170185
if: ${{ !inputs.authenticated }}
171186

172187
- name: Generate WAF v5 tgz from JSON
@@ -195,3 +210,8 @@ jobs:
195210
name: ${{ steps.smoke-tests.outputs.test-results-name }}
196211
path: ${{ steps.smoke-tests.outputs.test-results-path }}
197212
if: ${{ !cancelled() && steps.stable_exists.outputs.exists != 'true' }}
213+
214+
- name: Clean up secrets
215+
run: |
216+
rm -f nginx-repo.crt nginx-repo.key rhel_license
217+
if: always()

0 commit comments

Comments
 (0)