build(netifyd): upgrade to v5 (#1290)

Author: Tbaile

.github/workflows/build-image.yml

@@ -35,7 +35,6 @@ jobs:
     env:
       USIGN_PUB_KEY: ${{ secrets.USIGN_PUB_KEY }}
       USIGN_PRIV_KEY: ${{ secrets.USIGN_PRIV_KEY }}
-      NETIFYD_ACCESS_TOKEN: ${{ secrets.NETIFYD_ACCESS_TOKEN }}
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}
     steps:
@@ -52,13 +51,6 @@ jobs:
           # export NETHSECURITY_VERSION from build
           echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)" >> $GITHUB_OUTPUT
 
-          # if NETIFYD_ACCESS_TOKEN is set, set NETIFYD_ENABLED to 1
-          if [[ -n "${{ env.NETIFYD_ACCESS_TOKEN }}" ]]; then
-            echo "NETIFYD_ENABLED=1" >> $GITHUB_OUTPUT
-          else
-            echo "NETIFYD_ENABLED=0" >> $GITHUB_OUTPUT
-          fi
-
           # When pushing a tag, set REPO_CHANNEL to stable
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
             echo "REPO_CHANNEL=stable" >> $GITHUB_OUTPUT
@@ -82,7 +74,6 @@ jobs:
           OWRT_VERSION: ${{ steps.build_vars.outputs.OWRT_VERSION }}
           NETHSECURITY_VERSION: ${{ steps.build_vars.outputs.NETHSECURITY_VERSION }}
           REPO_CHANNEL: ${{ steps.build_vars.outputs.REPO_CHANNEL }}
-          NETIFYD_ENABLED: ${{ steps.build_vars.outputs.NETIFYD_ENABLED }}
           TARGET: ${{ steps.build_vars.outputs.TARGET }}
         run: ./build-nethsec.sh
       - name: Update latest_release file

build-nethsec.sh

@@ -20,8 +20,6 @@ OWRT_VERSION=${OWRT_VERSION:?Missing OWRT_VERSION environment variable}
 NETHSECURITY_VERSION=${NETHSECURITY_VERSION:?Missing NETHSECURITY_VERSION environment variable}
 REPO_CHANNEL=${REPO_CHANNEL:-dev}
 TARGET=${TARGET:-x86_64}
-NETIFYD_ENABLED=${NETIFYD_ENABLED:-0}
-NETIFYD_ACCESS_TOKEN=${NETIFYD_ACCESS_TOKEN}
 
 if [ -f "./key-build" ] && [ -f "./key-build.pub" ]; then
     USIGN_PRIV_KEY="$(cat ./key-build)"
@@ -40,7 +38,6 @@ podman build \
     --build-arg REPO_CHANNEL="$REPO_CHANNEL" \
     --build-arg TARGET="$TARGET" \
     --build-arg NETHSECURITY_VERSION="$NETHSECURITY_VERSION" \
-    --build-arg NETIFYD_ENABLED="$NETIFYD_ENABLED" \
     .
 
 set +e
@@ -49,8 +46,6 @@ status=0
 podman run \
     --env USIGN_PRIV_KEY="$USIGN_PRIV_KEY" \
     --env USIGN_PUB_KEY="$USIGN_PUB_KEY" \
-    --env NETIFYD_ENABLED="$NETIFYD_ENABLED" \
-    --env NETIFYD_ACCESS_TOKEN="$NETIFYD_ACCESS_TOKEN" \
     --name nethsecurity-builder \
     --interactive \
     --tty \

build.conf.example

@@ -2,5 +2,3 @@ OWRT_VERSION=v24.10.3
 NETHSECURITY_VERSION=8.7.1
 TARGET=x86_64
 REPO_CHANNEL=dev
-NETIFYD_ENABLED=0
-NETIFYD_ACCESS_TOKEN=

builder/Containerfile

@@ -64,7 +64,6 @@ ARG REPO_CHANNEL
 ARG TARGET
 ARG NETHSECURITY_VERSION
 COPY --chmod=777 builder/configure-build.sh /usr/local/bin/configure-build
-ARG NETIFYD_ENABLED=0
 RUN /usr/local/bin/configure-build
 COPY --chmod=777 builder/entrypoint.sh /usr/local/bin/entrypoint.sh
 ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]

builder/configure-build.sh

@@ -39,21 +39,6 @@ CONFIG_VERSION_SUPPORT_URL="https://community.nethserver.org"
 EOF
 cat "config/targets/${target}.conf" >> .config
 
-# Netifyd closed-sources plugin
-if [ "$NETIFYD_ENABLED" -eq "0" ]; then
-    echo "Netifyd closed-sources plugin not enabled: skipping ns-dpi package"
-    echo CONFIG_PACKAGE_ns-dpi=n >> .config
-else
-    echo "Netifyd closed-sources plugin enabled: enabling ns-dpi package"
-    cat << EOF >> .config
-CONFIG_PACKAGE_netify-flow-actions=y
-CONFIG_NETIFY_FLOW_ACTIONS_TARGET_LOG=y
-CONFIG_NETIFY_FLOW_ACTIONS_TARGET_CTLABEL=y
-CONFIG_NETIFY_FLOW_ACTIONS_TARGET_NFTSET=y
-CONFIG_PACKAGE_netify-plugin-stats=y
-EOF
-fi
-
 # Write version information into a file
 echo "${repo_channel}" > files/etc/repo-channel
 

builder/entrypoint.sh

@@ -7,12 +7,6 @@
 
 set -e
 
-if [ ! "$NETIFYD_ENABLED" -eq "0" ]; then
-    echo "Netifyd is enabled, downloading sources..."
-    git clone "https://oauth2:$NETIFYD_ACCESS_TOKEN@gitlab.com/netify.ai/private/nethesis/netify-flow-actions.git"
-    git clone "https://oauth2:$NETIFYD_ACCESS_TOKEN@gitlab.com/netify.ai/private/nethesis/netify-agent-stats-plugin.git"
-fi
-
 if [ -n "$USIGN_PUB_KEY" ] && [ -n "$USIGN_PRIV_KEY" ]; then
     echo "$USIGN_PUB_KEY" > /home/buildbot/openwrt/key-build.pub
     echo "$USIGN_PRIV_KEY" > /home/buildbot/openwrt/key-build

docs/build/index.md

@@ -71,20 +71,17 @@ The `build-nethsec.sh` script behavior can be changed by giving the following en
 - `NETHSECURITY_VERSION`: specify what to call the NethSecurity image; **required**
 - `TARGET`: specify the target to build; if not set default is `x86_64`
 - `REPO_CHANNEL`: specify the channel to publish the image to; if not set default is `dev`
-- `NETIFYD_ENABLED`: configure if netifyd plugins should be downloaded and compiled; if not set, default is `0` (disabled)
-- `NETIFYD_ACCESS_TOKEN`: token to download the netifyd plugins; if not set, default is empty, required if `NETIFYD_ENABLED` is set to `1`
 - `USIGN_PUB_KEY` and `USIGN_PRIV_KEY`: see [package signing section](#package-signing)
    with the given keys
 
-The `USIGN_PUB_KEY`, `USIGN_PRIV_KEY` and `NETIFYD_ACCESS_TOKEN` variables are always set as secrets
-inside the CI pipeline, but for [security reasons](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#accessing-secrets)
+The `USIGN_PUB_KEY`, `USIGN_PRIV_KEY` variables are always set as secrets inside the CI pipeline, but 
+for [security reasons](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#accessing-secrets)
 they are not accessible when building pull requests from forks.
 
 ### Build locally for a release
 
 If you need to build some packages locally for a release, make sure the following environment variables are set:
 - `USIGN_PUB_KEY` and `USIGN_PRIV_KEY`: refer to the [package signing section](#package-signing) for more info
-- `NETIFYD_ENABLED` and `NETIFYD_ACCESS_TOKEN`: required to download and compile netifyd closed source plugins
 
 Then execute the build as described in the [Build locally](#build-locally) section.
 
@@ -282,20 +279,6 @@ Or you can have the keys as two files named `key-build` and `key-build.pub` in t
 
 Builds executed inside CI will sign the packages with the correct key.
 
-### Netifyd plugins
-
-NethSecurity uses two [netifyd](https://gitlab.com/netify.ai/public/netify-agent) proprietary plugins from [Netify](https://www.netify.ai/):
-
-- Netify Flow Actions Plugin (netify-flow-actions)
-- Netify Agent Stats Plugin (netify-plugin-stats)
-
-The plugins should be used with the latest netifyd stable version (4.4.3 at the time of writing).
-To create the files for the build, follow the steps below. Such steps should be needed only after a netifyd/plugin version change.
-
-Both plugins source code is hosted on a private repository at [GitLab](https://gitlab.com).
-To access it, you must set `NETIFYD_ENABLED=1` and provide a personal access token with read access to the private repositories. And then `NETIFYD_ACCESS_TOKEN` environment variable must be set to the token value.
-
-
 ## Self-hosted runner
 
 The build system uses a GitHub-hosted runner to build the images.