Skip to content

Commit 8a5a710

Browse files
AlexFenlonpdabelf5
AlexFenlon
authored and
pdabelf5
committed
Update CRT and KEY to use az
1 parent f2e172e commit 8a5a710

File tree

5 files changed

+157
-40
lines changed

5 files changed

+157
-40
lines changed

.github/workflows/build-base-images.yml

Lines changed: 50 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,22 @@ jobs:
122122
- name: Checkout Repository
123123
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
124124

125+
- name: Azure login
126+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
127+
with:
128+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
129+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
130+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
131+
132+
- name: Setup secrets
133+
id: secrets
134+
run: |
135+
echo "Setting secrets for job"
136+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
137+
echo "::add-mask::$PLUS_CREDS"
138+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
139+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
140+
125141
- name: Docker Buildx
126142
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
127143

@@ -171,9 +187,14 @@ jobs:
171187
build-args: |
172188
BUILD_OS=${{ matrix.image }}
173189
IC_VERSION=${{ needs.checks.outputs.ic_version }}
174-
secrets: |
175-
"nginx-repo.crt=${{ secrets.NGINX_CRT }}"
176-
"nginx-repo.key=${{ secrets.NGINX_KEY }}"
190+
secret-files: |
191+
nginx-repo.crt=nginx-repo.crt
192+
nginx-repo.key=nginx-repo.key
193+
194+
- name: Clean up secrets
195+
run: |
196+
rm -f nginx-repo.crt nginx-repo.key
197+
if: always()
177198

178199
build-plus-nap:
179200
name: Build Plus NAP base images
@@ -190,6 +211,23 @@ jobs:
190211
- name: Checkout Repository
191212
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
192213

214+
- name: Azure login
215+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
216+
with:
217+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
218+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
219+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
220+
221+
- name: Setup secrets
222+
id: secrets
223+
run: |
224+
echo "Setting secrets for job"
225+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
226+
echo "::add-mask::$PLUS_CREDS"
227+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
228+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
229+
az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license
230+
193231
- name: Docker Buildx
194232
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
195233

@@ -242,7 +280,12 @@ jobs:
242280
BUILD_OS=${{ matrix.image }}
243281
IC_VERSION=${{ needs.checks.outputs.ic_version }}
244282
NAP_MODULES=${{ matrix.nap_modules }}
245-
secrets: |
246-
"nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}"
247-
"nginx-repo.key=${{ secrets.NGINX_AP_KEY }}"
248-
${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
283+
secret-files: |
284+
nginx-repo.crt=nginx-repo.crt
285+
nginx-repo.key=nginx-repo.key
286+
${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
287+
288+
- name: Clean up secrets
289+
run: |
290+
rm -f nginx-repo.crt nginx-repo.key rhel_license
291+
if: always()

.github/workflows/build-plus.yml

Lines changed: 32 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,25 @@ jobs:
6363
ref: ${{ inputs.branch }}
6464
fetch-depth: 0
6565

66+
- name: Azure login
67+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
68+
with:
69+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
70+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
71+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
72+
if: ${{ inputs.authenticated }}
73+
74+
- name: Setup secrets
75+
id: secrets
76+
run: |
77+
echo "Setting secrets for job"
78+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$PLUS_CREDS"
80+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
81+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
82+
az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license
83+
if: ${{ inputs.authenticated }}
84+
6685
- name: Authenticate to Google Cloud
6786
id: auth
6887
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -154,10 +173,10 @@ jobs:
154173
BUILD_OS=${{ inputs.image }}
155174
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
156175
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
157-
secrets: |
158-
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
159-
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
160-
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
176+
secret-files: |
177+
nginx-repo.crt=nginx-repo.crt
178+
nginx-repo.key=nginx-repo.key
179+
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
161180
if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }}
162181

163182
- name: Debug values
@@ -199,10 +218,10 @@ jobs:
199218
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
200219
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
201220
${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
202-
secrets: |
203-
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
204-
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
205-
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
221+
secret-files: |
222+
nginx-repo.crt=nginx-repo.crt
223+
nginx-repo.key=nginx-repo.key
224+
${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
206225
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
207226

208227
- name: Make directory for security scan results
@@ -222,3 +241,8 @@ jobs:
222241
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
223242
summary: true
224243
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
244+
245+
- name: Clean up secrets
246+
run: |
247+
rm -f nginx-repo.crt nginx-repo.key rhel_license
248+
if: always()

.github/workflows/build-single-image.yml

Lines changed: 21 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -79,17 +79,23 @@ jobs:
7979
username: oauth2accesstoken
8080
password: ${{ steps.auth.outputs.access_token }}
8181

82-
- name: Setup plus credentials
82+
- name: Azure login
83+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
84+
with:
85+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
86+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
87+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
88+
if: ${{ contains(inputs.target, 'plus') }}
89+
90+
- name: Setup secrets
91+
id: secrets
8392
run: |
84-
printf '%s\n' "${CERT}" > nginx-repo.crt
85-
printf '%s\n' "${KEY}" > nginx-repo.key
86-
if [[ "${{ inputs.target }}" =~ ubi ]]; then
87-
printf '%s\n' "${RHEL}" > rhel_license
88-
fi
89-
env:
90-
CERT: ${{ secrets.NGINX_CRT }}
91-
KEY: ${{ secrets.NGINX_KEY }}
92-
RHEL: ${{ secrets.RHEL_LICENSE }}
93+
echo "Setting secrets for job"
94+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
95+
echo "::add-mask::$PLUS_CREDS"
96+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
97+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
98+
az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license
9399
if: ${{ contains(inputs.target, 'plus') }}
94100

95101
- name: Fetch Cached Binary Artifacts
@@ -107,14 +113,6 @@ jobs:
107113
env:
108114
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
109115
GOPATH: ${{ steps.vars.outputs.go_path }}
110-
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
111-
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
112-
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
113-
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
114-
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
115-
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
116-
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
117-
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
118116
GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}"
119117
if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }}
120118

@@ -142,3 +140,8 @@ jobs:
142140
REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
143141
PREFIX: ${{ inputs.prefix }}
144142
TAG: ${{ inputs.tag }}
143+
144+
- name: Clean up secrets
145+
run: |
146+
rm -f nginx-repo.crt nginx-repo.key rhel_license
147+
if: always()

.github/workflows/ci.yml

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -436,6 +436,24 @@ jobs:
436436
with:
437437
version: 'v3.18.6'
438438

439+
- name: Azure login
440+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
441+
with:
442+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
443+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
444+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
445+
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
446+
447+
- name: Setup secrets
448+
id: secrets
449+
run: |
450+
echo "Setting secrets for job"
451+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
452+
echo "::add-mask::$PLUS_CREDS"
453+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
454+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
455+
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
456+
439457
- name: Authenticate to Google Cloud
440458
id: auth
441459
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -490,9 +508,9 @@ jobs:
490508
build-args: |
491509
BUILD_OS=${{ matrix.base-os }}
492510
IC_VERSION=CI
493-
secrets: |
494-
${{ matrix.type == 'plus' && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
495-
${{ matrix.type == 'plus' && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
511+
secret-files: |
512+
${{ matrix.type == 'plus' && 'nginx-repo.crt=nginx-repo.crt' || '' }}
513+
${{ matrix.type == 'plus' && 'nginx-repo.key=nginx-repo.key' || '' }}
496514
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
497515

498516
- name: Deploy Kubernetes
@@ -551,6 +569,11 @@ jobs:
551569
done
552570
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
553571

572+
- name: Clean up secrets
573+
run: |
574+
rm -f nginx-repo.crt nginx-repo.key
575+
if: always()
576+
554577
setup-matrix:
555578
if: ${{ inputs.force || (inputs.run_tests && inputs.run_tests || true) || needs.checks.outputs.docs_only != 'true' }}
556579
name: Setup Matrix for Smoke Tests

.github/workflows/setup-smoke.yml

Lines changed: 28 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,25 @@ jobs:
6161
echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT
6262
echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT
6363
64+
- name: Azure login
65+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
66+
with:
67+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
68+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
69+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
70+
if: ${{ inputs.authenticated }}
71+
72+
- name: Setup secrets
73+
id: secrets
74+
run: |
75+
echo "Setting secrets for job"
76+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
77+
echo "::add-mask::$PLUS_CREDS"
78+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
79+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
80+
az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license
81+
if: ${{ inputs.authenticated }}
82+
6483
- name: Authenticate to Google Cloud
6584
id: auth
6685
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -144,10 +163,10 @@ jobs:
144163
IC_VERSION=CI
145164
${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
146165
${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
147-
secrets: |
148-
${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }}
149-
${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }}
150-
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
166+
secret-files: |
167+
nginx-repo.crt=nginx-repo.crt
168+
nginx-repo.key=nginx-repo.key
169+
${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
151170
if: ${{ !inputs.authenticated }}
152171

153172
- name: Generate WAF v5 tgz from JSON
@@ -177,3 +196,8 @@ jobs:
177196
name: ${{ steps.smoke-tests.outputs.test-results-name }}
178197
path: ${{ steps.smoke-tests.outputs.test-results-path }}
179198
if: ${{ !cancelled() && steps.stable_exists.outputs.exists != 'true' }}
199+
200+
- name: Clean up secrets
201+
run: |
202+
rm -f nginx-repo.crt nginx-repo.key rhel_license
203+
if: always()

0 commit comments

Comments
 (0)