Switch rhel license to use azure vault

pdabelf5 · pdabelf5 · commit 12c5ec3ce6af · 2025-11-10T15:29:18.000Z
diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
@@ -188,8 +188,8 @@ jobs:
             BUILD_OS=${{ matrix.image }}
             IC_VERSION=${{ needs.checks.outputs.ic_version }}
           secret-files: |
-            nginx-repo.crt=./nginx-repo.crt
-            nginx-repo.key=./nginx-repo.key
+            nginx-repo.crt=nginx-repo.crt
+            nginx-repo.key=nginx-repo.key
 
       - name: Clean up secrets
         run: |
@@ -226,6 +226,7 @@ jobs:
           echo "::add-mask::$PLUS_CREDS"
           echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
           echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
+          az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license
 
       - name: Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -280,12 +281,11 @@ jobs:
             IC_VERSION=${{ needs.checks.outputs.ic_version }}
             NAP_MODULES=${{ matrix.nap_modules }}
           secret-files: |
-            nginx-repo.crt=./nginx-repo.crt
-            nginx-repo.key=./nginx-repo.key
-          secrets: |
-            ${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
+            nginx-repo.crt=nginx-repo.crt
+            nginx-repo.key=nginx-repo.key
+            ${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
 
       - name: Clean up secrets
         run: |
-          rm -f nginx-repo.crt nginx-repo.key
+          rm -f nginx-repo.crt nginx-repo.key rhel_license
         if: always()
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
@@ -175,8 +175,7 @@ jobs:
           secret-files: |
             nginx-repo.crt=nginx-repo.crt
             nginx-repo.key=nginx-repo.key
-          secrets: |
-            ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
+            ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
         if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }}
 
       - name: Debug values
@@ -221,8 +220,7 @@ jobs:
           secret-files: |
             nginx-repo.crt=nginx-repo.crt
             nginx-repo.key=nginx-repo.key
-          secrets: |
-            ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
+            ${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
         if: ${{  steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Make directory for security scan results
@@ -245,5 +243,5 @@ jobs:
 
       - name: Clean up secrets
         run: |
-          rm -f nginx-repo.crt nginx-repo.key
+          rm -f nginx-repo.crt nginx-repo.key rhel_license
         if: always()
diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml
@@ -95,15 +95,7 @@ jobs:
           echo "::add-mask::$PLUS_CREDS"
           echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
           echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
-        if: ${{ contains(inputs.target, 'plus') }}
-
-      - name: Setup plus credentials
-        run: |
-          if [[ "${{ inputs.target }}" =~ ubi ]]; then
-            printf '%s\n' "${RHEL}" > rhel_license
-          fi
-        env:
-          RHEL: ${{ secrets.RHEL_LICENSE }}
+          az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license
         if: ${{ contains(inputs.target, 'plus') }}
 
       - name: Fetch Cached Binary Artifacts
@@ -121,14 +113,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GOPATH: ${{ steps.vars.outputs.go_path }}
-          AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
-          AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
-          AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
-          AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
-          AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
-          AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
-          AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
-          AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
           GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}"
         if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }}
 
@@ -159,5 +143,5 @@ jobs:
 
       - name: Clean up secrets
         run: |
-          rm -f nginx-repo.crt nginx-repo.key
+          rm -f nginx-repo.crt nginx-repo.key rhel_license
         if: always()
diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
@@ -80,6 +80,7 @@ jobs:
           echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT
           echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
           echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
+          az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license
         if: ${{ inputs.authenticated }}
 
       - name: Authenticate to Google Cloud
@@ -166,10 +167,9 @@ jobs:
             ${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
             ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
           secret-files: |
-            nginx-repo.crt=./nginx-repo.crt
-            nginx-repo.key=./nginx-repo.key
-          secrets: |
-            ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
+            nginx-repo.crt=nginx-repo.crt
+            nginx-repo.key=nginx-repo.key
+            ${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
         if: ${{ !inputs.authenticated }}
 
       - name: Generate WAF v5 tgz from JSON
@@ -202,5 +202,5 @@ jobs:
 
       - name: Clean up secrets
         run: |
-          rm -f nginx-repo.crt nginx-repo.key
+          rm -f nginx-repo.crt nginx-repo.key rhel_license
         if: always()
