From afabb028177b75bf9188c01df52a47dec3950062 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Tue, 11 Nov 2025 14:59:11 +0000 Subject: [PATCH 1/6] Migrate QUAY to Azure Vault --- .github/workflows/oss-release.yml | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index c746f482ee..b9cb00206a 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -214,6 +214,25 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + QUAY_CREDS=$(az keyvault secret show --name quay-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$QUAY_CREDS" + QUAY_USERNAME=$(echo $QUAY_CREDS | jq -r '.username') + echo "QUAY_USERNAME=$QUAY_USERNAME" >> $GITHUB_OUTPUT + QUAY_ROBOT_TOKEN=$(echo $QUAY_CREDS | jq -r '.token') + echo "::add-mask::$QUAY_ROBOT_TOKEN" + echo "QUAY_ROBOT_TOKEN=$QUAY_ROBOT_TOKEN" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -233,8 +252,8 @@ jobs: uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_ROBOT_TOKEN }} + username: ${{ steps.secrets.outputs.QUAY_USERNAME }} + password: ${{ steps.secrets.outputs.QUAY_ROBOT_TOKEN }} - name: Publish images run: | From 275ec8f2d07cdc0a8582a14349d1c6346dbcd517 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Tue, 11 Nov 2025 14:59:37 +0000 Subject: [PATCH 2/6] Migrate CODECOV to Azure Vault --- .github/workflows/ci.yml | 22 +++++++++++++++++++++- .github/workflows/regression.yml | 20 +++++++++++++++++++- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4cfdb0aa2..e8061ac455 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -248,6 +248,9 @@ jobs: unit-tests: name: Unit Tests runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write needs: checks env: GOPROXY: ${{ needs.checks.outputs.go_proxy }} @@ -260,6 +263,23 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.force || (needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true') }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + CODECOV_TOKEN=$(az keyvault secret show --name code-cov --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$CODECOV_TOKEN" + echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> $GITHUB_OUTPUT + if: ${{ inputs.force || (needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true') }} + - name: Setup Golang Environment uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: @@ -284,7 +304,7 @@ jobs: uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: ./coverage.txt - token: ${{ secrets.CODECOV_TOKEN }} # required + token: ${{ steps.secrets.outputs.CODECOV_TOKEN }} # required if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && (inputs.run_tests && inputs.run_tests || true) }} - name: Run static check diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 14724b4c88..a4b8b8beb3 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -83,6 +83,9 @@ jobs: unit-tests: name: Unit Tests runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write needs: [checks] steps: - name: Checkout Repository @@ -90,6 +93,21 @@ jobs: with: ref: ${{ needs.checks.outputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + CODECOV_TOKEN=$(az keyvault secret show --name code-cov --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$CODECOV_TOKEN" + echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> $GITHUB_OUTPUT + - name: Setup Helm uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: @@ -107,7 +125,7 @@ jobs: uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: ./coverage.txt - token: ${{ secrets.CODECOV_TOKEN }} # required + token: ${{ steps.secrets.outputs.CODECOV_TOKEN }} # required helm-tests: name: Helm Tests ${{ matrix.base-os }} From f9cca146e17d60198facc9ca7f3e0c9bca4e791d Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Tue, 11 Nov 2025 15:52:41 +0000 Subject: [PATCH 3/6] Migrate Slack_Webhook to Azure Vault --- .github/workflows/notifications.yml | 18 +++++++++++++++++- .github/workflows/release.yml | 18 +++++++++++++++++- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index 8fd0199743..a236f79c7f 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -26,6 +26,7 @@ jobs: permissions: contents: read actions: read # for 8398a7/action-slack + id-token: write # for Azure login steps: - name: Data uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -48,6 +49,21 @@ jobs: commit_message: message_sanitized, } + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + SLACK_WEBHOOK=$(az keyvault secret show --name slack-pipeline-webhook --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT + - name: Send Notification uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0 with: @@ -83,4 +99,4 @@ jobs: }] } env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + SLACK_WEBHOOK_URL: ${{ steps.secrets.outputs.SLACK_WEBHOOK }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88e2f3baa7..53e8553a14 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -635,6 +635,7 @@ jobs: permissions: contents: read actions: read + id-token: write strategy: fail-fast: false matrix: @@ -645,6 +646,21 @@ jobs: with: ref: ${{ inputs.release_branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + SLACK_WEBHOOK=$(az keyvault secret show --name slack-pipeline-webhook --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT + - name: Get Image manifest digest id: digest run: | @@ -701,4 +717,4 @@ jobs: }] } env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + SLACK_WEBHOOK_URL: ${{ steps.secrets.outputs.SLACK_WEBHOOK }} From de4e2cf091195cfd6d866aa63c018cf34ca27926 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Tue, 11 Nov 2025 15:54:06 +0000 Subject: [PATCH 4/6] Migrate AWS Roles to Azure Vault --- .github/workflows/oss-release.yml | 17 ++++++++++++++++- .github/workflows/plus-release.yml | 17 ++++++++++++++++- .github/workflows/release.yml | 17 ++++++++++++++++- 3 files changed, 48 insertions(+), 3 deletions(-) diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index b9cb00206a..1ed9f9b674 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -121,6 +121,21 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + AWS_ROLE_PUBLIC_ECR=$(az keyvault secret show --name aws-public-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$AWS_ROLE_PUBLIC_ECR" + echo "AWS_ROLE_PUBLIC_ECR=$AWS_ROLE_PUBLIC_ECR" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -140,7 +155,7 @@ jobs: uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: aws-region: us-east-1 - role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} + role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_PUBLIC_ECR }} - name: Login to Public ECR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml index 47fbde482f..af195b8ad9 100644 --- a/.github/workflows/plus-release.yml +++ b/.github/workflows/plus-release.yml @@ -215,6 +215,21 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + AWS_ROLE_MARKETPLACE=$(az keyvault secret show --name aws-mktpl-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$AWS_ROLE_MARKETPLACE" + echo "AWS_ROLE_MARKETPLACE=$AWS_ROLE_MARKETPLACE" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -234,7 +249,7 @@ jobs: uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: aws-region: us-east-1 - role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} + role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_MARKETPLACE }} - name: Login to ECR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 53e8553a14..45aac0ee9a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -437,11 +437,26 @@ jobs: # with: # ref: ${{ inputs.release_branch }} + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # AWS_ROLE_MARKETPLACE=$(az keyvault secret show --name aws-mktpl-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$AWS_ROLE_MARKETPLACE" + # echo "AWS_ROLE_MARKETPLACE=$AWS_ROLE_MARKETPLACE" >> $GITHUB_OUTPUT + # - name: Configure AWS Credentials # uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 # with: # aws-region: us-east-1 - # role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} + # role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_MARKETPLACE }} # - name: Publish to AWS Marketplace # uses: nginx/aws-marketplace-publish@accf7b4c725796b744f2ee27acc2488d76f63d32 # v1.0.8 From 9e94616fb810d46d47264c2bb5e514914fe46a67 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Tue, 11 Nov 2025 15:54:26 +0000 Subject: [PATCH 5/6] Migrate Azure Storage to Azure Vault --- .github/workflows/release.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 45aac0ee9a..d9c481a592 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -542,6 +542,19 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + AZURE_STORAGE=$(az keyvault secret show --name azure-storage --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$AZURE_STORAGE" + AZURE_STORAGE_ACCOUNT=$(echo $AZURE_STORAGE | jq -r '.account') + echo "::add-mask::$AZURE_STORAGE_ACCOUNT" + echo "AZURE_STORAGE_ACCOUNT=$AZURE_STORAGE_ACCOUNT" >> $GITHUB_OUTPUT + AZURE_BUCKET_NAME=$(echo $AZURE_STORAGE | jq -r '.bucket') + echo "::add-mask::$AZURE_BUCKET_NAME" + echo "AZURE_BUCKET_NAME=$AZURE_BUCKET_NAME" >> $GITHUB_OUTPUT + - name: Azure Upload Release Packages uses: azure/CLI@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0 with: @@ -549,8 +562,8 @@ jobs: for i in $(find tarballs -type f); do echo -n "Uploading ${i} to kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/} ... " if ${{ ! inputs.dry_run}}; then - az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_BUCKET_NAME }} \ - --account-name ${{ secrets.AZURE_STORAGE_ACCOUNT }} --overwrite -n kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/} + az storage blob upload --auth-mode=login -f "$i" -c ${{ steps.secrets.outputs.AZURE_BUCKET_NAME }} \ + --account-name ${{ steps.secrets.outputs.AZURE_STORAGE_ACCOUNT }} --overwrite -n kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/} echo "done" else echo "skipped, dry_run." From 95c5c1474d400f74f47516e5ad48c609023eea27 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 13:44:21 +0000 Subject: [PATCH 6/6] add missing mask --- .github/workflows/oss-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 1ed9f9b674..364e25f197 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -243,6 +243,7 @@ jobs: QUAY_CREDS=$(az keyvault secret show --name quay-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$QUAY_CREDS" QUAY_USERNAME=$(echo $QUAY_CREDS | jq -r '.username') + echo "::add-mask::$QUAY_USERNAME" echo "QUAY_USERNAME=$QUAY_USERNAME" >> $GITHUB_OUTPUT QUAY_ROBOT_TOKEN=$(echo $QUAY_CREDS | jq -r '.token') echo "::add-mask::$QUAY_ROBOT_TOKEN"