diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 067fca7ad4..eb2a96551a 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -122,6 +122,30 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -171,9 +195,14 @@ jobs: build-args: | BUILD_OS=${{ matrix.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} - secrets: | - "nginx-repo.crt=${{ secrets.NGINX_CRT }}" - "nginx-repo.key=${{ secrets.NGINX_KEY }}" + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key + if: always() build-plus-nap: name: Build Plus NAP base images @@ -190,6 +219,35 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license + - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -242,7 +300,12 @@ jobs: BUILD_OS=${{ matrix.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} NAP_MODULES=${{ matrix.nap_modules }} - secrets: | - "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}" - "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}" - ${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always() diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 025340a5d0..36bc23aa2c 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -63,6 +63,37 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -154,10 +185,10 @@ jobs: BUILD_OS=${{ inputs.image }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} - secrets: | - "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" - "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" - ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }} if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }} - name: Debug values @@ -199,10 +230,10 @@ jobs: IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} - secrets: | - "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" - "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" - ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }} if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Make directory for security scan results @@ -222,3 +253,8 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment summary: true if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always() diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index 7c389619dc..ad3bc59fcd 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -79,17 +79,35 @@ jobs: username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - - name: Setup plus credentials + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ contains(inputs.target, 'plus') }} + + - name: Setup secrets + id: secrets run: | - printf '%s\n' "${CERT}" > nginx-repo.crt - printf '%s\n' "${KEY}" > nginx-repo.key - if [[ "${{ inputs.target }}" =~ ubi ]]; then - printf '%s\n' "${RHEL}" > rhel_license - fi - env: - CERT: ${{ secrets.NGINX_CRT }} - KEY: ${{ secrets.NGINX_KEY }} - RHEL: ${{ secrets.RHEL_LICENSE }} + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license if: ${{ contains(inputs.target, 'plus') }} - name: Fetch Cached Binary Artifacts @@ -107,14 +125,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ steps.vars.outputs.go_path }} - AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} - AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} - AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} - AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} - AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} - AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} - AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} - AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}" if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }} @@ -142,3 +152,8 @@ jobs: REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev PREFIX: ${{ inputs.prefix }} TAG: ${{ inputs.tag }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always() diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4cfdb0aa2..a7e6cb9442 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -436,6 +436,32 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -490,9 +516,9 @@ jobs: build-args: | BUILD_OS=${{ matrix.base-os }} IC_VERSION=CI - secrets: | - ${{ matrix.type == 'plus' && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} - ${{ matrix.type == 'plus' && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} + secret-files: | + ${{ matrix.type == 'plus' && 'nginx-repo.crt=nginx-repo.crt' || '' }} + ${{ matrix.type == 'plus' && 'nginx-repo.key=nginx-repo.key' || '' }} if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Deploy Kubernetes @@ -551,6 +577,11 @@ jobs: done if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key + if: always() + setup-matrix: if: ${{ inputs.force || (inputs.run_tests && inputs.run_tests || true) || needs.checks.outputs.docs_only != 'true' }} name: Setup Matrix for Smoke Tests diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index a54ba7265e..67c52f922d 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -61,6 +61,37 @@ jobs: echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -144,10 +175,10 @@ jobs: IC_VERSION=CI ${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} - secrets: | - ${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} - ${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }} - ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }} if: ${{ !inputs.authenticated }} - name: Generate WAF v5 tgz from JSON @@ -177,3 +208,8 @@ jobs: name: ${{ steps.smoke-tests.outputs.test-results-name }} path: ${{ steps.smoke-tests.outputs.test-results-path }} if: ${{ !cancelled() && steps.stable_exists.outputs.exists != 'true' }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always()