Migrate NGINX Plus secrets to Azure Vault #489
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Base Images | |
| on: | |
| workflow_dispatch: | |
| workflow_call: | |
| schedule: | |
| - cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC | |
| pull_request: | |
| branches: | |
| - main | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| group: ${{ github.ref_name }}-base-image | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| checks: | |
| name: Checks and variables | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| docker_md5: ${{ steps.vars.outputs.docker_md5 }} | |
| ic_version: ${{ steps.vars.outputs.ic_version }} | |
| image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }} | |
| image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }} | |
| image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Output Variables | |
| id: vars | |
| run: | | |
| ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT | |
| source .github/data/version.txt | |
| echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT | |
| echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT | |
| echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT | |
| echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT | |
| cat $GITHUB_OUTPUT | |
| build-oss: | |
| name: Build OSS base images | |
| runs-on: ubuntu-24.04 | |
| needs: checks | |
| permissions: | |
| contents: read | |
| pull-requests: write # for scout report | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| with: | |
| platforms: arm64 | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
| service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
| - name: Login to GCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: gcr.io | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 | |
| with: | |
| images: | | |
| name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss | |
| flavor: | | |
| suffix=-${{ matrix.image }},onlatest=false | |
| tags: | | |
| type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} | |
| - name: Build Base Container | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile | |
| context: "." | |
| cache-from: type=gha,scope=${{ matrix.image }} | |
| cache-to: type=gha,scope=${{ matrix.image }},mode=max | |
| target: common | |
| tags: ${{ steps.meta.outputs.tags }} | |
| platforms: ${{ matrix.platforms }} | |
| pull: true | |
| push: true | |
| build-args: | | |
| BUILD_OS=${{ matrix.image }} | |
| IC_VERSION=${{ needs.checks.outputs.ic_version }} | |
| build-plus: | |
| name: Build Plus base images | |
| runs-on: ubuntu-24.04 | |
| needs: checks | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write # for scout report | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Azure login | |
| uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 | |
| with: | |
| client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} | |
| - name: Setup secrets | |
| id: secrets | |
| run: | | |
| echo "Setting secrets for job" | |
| PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$PLUS_CREDS" | |
| echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt | |
| echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| with: | |
| platforms: arm64 | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
| service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
| - name: Login to GCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: gcr.io | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 | |
| with: | |
| images: | | |
| name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus | |
| flavor: | | |
| suffix=-${{ matrix.image }},onlatest=false | |
| tags: | | |
| type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} | |
| - name: Build Base Container | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile | |
| context: "." | |
| cache-from: type=gha,scope=${{ matrix.image }} | |
| cache-to: type=gha,scope=${{ matrix.image }},mode=max | |
| target: common | |
| tags: ${{ steps.meta.outputs.tags }} | |
| platforms: ${{ matrix.platforms }} | |
| pull: true | |
| push: true | |
| build-args: | | |
| BUILD_OS=${{ matrix.image }} | |
| IC_VERSION=${{ needs.checks.outputs.ic_version }} | |
| secret-files: | |
| nginx-repo.crt=./nginx-repo.crt | |
| nginx-repo.key=./nginx-repo.key | |
| - name: Clean up secrets | |
| run: | | |
| rm -f nginx-repo.crt nginx-repo.key | |
| if: always() | |
| build-plus-nap: | |
| name: Build Plus NAP base images | |
| runs-on: ubuntu-24.04 | |
| needs: checks | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write # for scout report | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
| service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
| - name: Login to GCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: gcr.io | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: NAP modules | |
| id: nap_modules | |
| run: | | |
| [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}" | |
| echo "modules=${modules}" >> $GITHUB_OUTPUT | |
| if: ${{ matrix.nap_modules != '' }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 | |
| with: | |
| images: | | |
| name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus | |
| flavor: | | |
| suffix=-${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},onlatest=false | |
| tags: | | |
| type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} | |
| - name: Build Base Container | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile | |
| context: "." | |
| cache-from: type=gha,scope=${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }} | |
| cache-to: type=gha,scope=${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},mode=max | |
| target: common | |
| tags: ${{ steps.meta.outputs.tags }} | |
| platforms: ${{ matrix.platforms }} | |
| pull: true | |
| push: true | |
| build-args: | | |
| BUILD_OS=${{ matrix.image }} | |
| IC_VERSION=${{ needs.checks.outputs.ic_version }} | |
| NAP_MODULES=${{ matrix.nap_modules }} | |
| secrets: | | |
| "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}" | |
| "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}" | |
| ${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} |