Skip to content

Commit d366019

Browse files
AlexFenlonAlexFenlon
committed
Update CRT and KEY to use az
1 parent 29afd04 commit d366019

File tree

5 files changed

+96
-18
lines changed

5 files changed

+96
-18
lines changed

.github/workflows/build-base-images.yml

Lines changed: 24 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,6 @@ on:
55
workflow_call:
66
schedule:
77
- cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC
8-
pull_request:
9-
branches:
10-
- main
118

129
defaults:
1310
run:
@@ -214,6 +211,22 @@ jobs:
214211
- name: Checkout Repository
215212
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
216213

214+
- name: Azure login
215+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
216+
with:
217+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
218+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
219+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
220+
221+
- name: Setup secrets
222+
id: secrets
223+
run: |
224+
echo "Setting secrets for job"
225+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
226+
echo "::add-mask::$PLUS_CREDS"
227+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
228+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
229+
217230
- name: Docker Buildx
218231
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
219232

@@ -266,7 +279,13 @@ jobs:
266279
BUILD_OS=${{ matrix.image }}
267280
IC_VERSION=${{ needs.checks.outputs.ic_version }}
268281
NAP_MODULES=${{ matrix.nap_modules }}
282+
secret-files: |
283+
nginx-repo.crt=./nginx-repo.crt
284+
nginx-repo.key=./nginx-repo.key
269285
secrets: |
270-
"nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}"
271-
"nginx-repo.key=${{ secrets.NGINX_AP_KEY }}"
272286
${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
287+
288+
- name: Clean up secrets
289+
run: |
290+
rm -f nginx-repo.crt nginx-repo.key
291+
if: always()

.github/workflows/build-plus.yml

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,24 @@ jobs:
6363
ref: ${{ inputs.branch }}
6464
fetch-depth: 0
6565

66+
- name: Azure login
67+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
68+
with:
69+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
70+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
71+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
72+
if: ${{ inputs.authenticated }}
73+
74+
- name: Setup secrets
75+
id: secrets
76+
run: |
77+
echo "Setting secrets for job"
78+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$PLUS_CREDS"
80+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
81+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
82+
if: ${{ inputs.authenticated }}
83+
6684
- name: Authenticate to Google Cloud
6785
id: auth
6886
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -154,9 +172,10 @@ jobs:
154172
BUILD_OS=${{ inputs.image }}
155173
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
156174
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
175+
secret-files: |
176+
nginx-repo.crt=nginx-repo.crt
177+
nginx-repo.key=nginx-repo.key
157178
secrets: |
158-
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
159-
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
160179
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
161180
if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }}
162181

@@ -199,9 +218,10 @@ jobs:
199218
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
200219
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
201220
${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
221+
secret-files: |
222+
nginx-repo.crt=nginx-repo.crt
223+
nginx-repo.key=nginx-repo.key
202224
secrets: |
203-
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
204-
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
205225
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
206226
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
207227

@@ -222,3 +242,8 @@ jobs:
222242
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
223243
summary: true
224244
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
245+
246+
- name: Clean up secrets
247+
run: |
248+
rm -f nginx-repo.crt nginx-repo.key
249+
if: always()

.github/workflows/build-single-image.yml

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -79,16 +79,30 @@ jobs:
7979
username: oauth2accesstoken
8080
password: ${{ steps.auth.outputs.access_token }}
8181

82+
- name: Azure login
83+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
84+
with:
85+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
86+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
87+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
88+
if: ${{ contains(inputs.target, 'plus') }}
89+
90+
- name: Setup secrets
91+
id: secrets
92+
run: |
93+
echo "Setting secrets for job"
94+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
95+
echo "::add-mask::$PLUS_CREDS"
96+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
97+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
98+
if: ${{ contains(inputs.target, 'plus') }}
99+
82100
- name: Setup plus credentials
83101
run: |
84-
printf '%s\n' "${CERT}" > nginx-repo.crt
85-
printf '%s\n' "${KEY}" > nginx-repo.key
86102
if [[ "${{ inputs.target }}" =~ ubi ]]; then
87103
printf '%s\n' "${RHEL}" > rhel_license
88104
fi
89105
env:
90-
CERT: ${{ secrets.NGINX_CRT }}
91-
KEY: ${{ secrets.NGINX_KEY }}
92106
RHEL: ${{ secrets.RHEL_LICENSE }}
93107
if: ${{ contains(inputs.target, 'plus') }}
94108

@@ -142,3 +156,8 @@ jobs:
142156
REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
143157
PREFIX: ${{ inputs.prefix }}
144158
TAG: ${{ inputs.tag }}
159+
160+
- name: Clean up secrets
161+
run: |
162+
rm -f nginx-repo.crt nginx-repo.key
163+
if: always()

.github/workflows/ci.yml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -453,6 +453,8 @@ jobs:
453453
PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt')
454454
echo "::add-mask::$PLUS_JWT"
455455
echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT
456+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
457+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
456458
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
457459

458460
- name: Authenticate to Google Cloud
@@ -509,9 +511,9 @@ jobs:
509511
build-args: |
510512
BUILD_OS=${{ matrix.base-os }}
511513
IC_VERSION=CI
512-
secrets: |
513-
${{ matrix.type == 'plus' && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
514-
${{ matrix.type == 'plus' && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
514+
secret-files: |
515+
${{ matrix.type == 'plus' && 'nginx-repo.crt=nginx-repo.crt' || '' }}
516+
${{ matrix.type == 'plus' && 'nginx-repo.key=nginx-repo.key' || '' }}
515517
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
516518

517519
- name: Deploy Kubernetes
@@ -570,6 +572,11 @@ jobs:
570572
done
571573
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
572574

575+
- name: Clean up secrets
576+
run: |
577+
rm -f nginx-repo.crt nginx-repo.key
578+
if: always()
579+
573580
setup-matrix:
574581
if: ${{ inputs.force || (inputs.run_tests && inputs.run_tests || true) || needs.checks.outputs.docs_only != 'true' }}
575582
name: Setup Matrix for Smoke Tests

.github/workflows/setup-smoke.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,8 @@ jobs:
7878
PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt')
7979
echo "::add-mask::$PLUS_JWT"
8080
echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT
81+
echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
82+
echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
8183
if: ${{ inputs.authenticated }}
8284

8385
- name: Authenticate to Google Cloud
@@ -163,9 +165,10 @@ jobs:
163165
IC_VERSION=CI
164166
${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
165167
${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
168+
secret-files: |
169+
nginx-repo.crt=./nginx-repo.crt
170+
nginx-repo.key=./nginx-repo.key
166171
secrets: |
167-
${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }}
168-
${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }}
169172
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
170173
if: ${{ !inputs.authenticated }}
171174

@@ -196,3 +199,8 @@ jobs:
196199
name: ${{ steps.smoke-tests.outputs.test-results-name }}
197200
path: ${{ steps.smoke-tests.outputs.test-results-path }}
198201
if: ${{ !cancelled() && steps.stable_exists.outputs.exists != 'true' }}
202+
203+
- name: Clean up secrets
204+
run: |
205+
rm -f nginx-repo.crt nginx-repo.key
206+
if: always()

0 commit comments

Comments
 (0)