Add RHEL support for NAP DoS 2.1 release (#159)

Co-authored-by: Alessandro Fael Garcia <[email protected]>

Author: aknot242

.github/workflows/molecule.yml

@@ -51,3 +51,5 @@ jobs:
           ANSIBLE_FORCE_COLOR: 1
           NGINX_CRT: ${{ secrets.NGINX_CRT }}
           NGINX_KEY: ${{ secrets.NGINX_KEY }}
+          RHEL_USERNAME: ${{ secrets.RHEL_USERNAME }}
+          RHEL_PASSWORD: ${{ secrets.RHEL_PASSWORD }}

CHANGELOG.md

@@ -6,12 +6,14 @@ BREAKING CHANGES:
 
 * Rename `nginx_app_protect_<waf/dos>_state` parameter to `nginx_app_protect_<waf/dos>_setup` parameters.
 * Rename multiple `nginx_app_protect_*` parameters and tags to `nginx_app_protect_waf_*` to aid in disambiguation.
-* Cleanup remaining Alpine Linux tasks.
+* Cleanup deprecated Alpine Linux tasks.
 * Remove `nginx_app_protect_configure` parameter since it has limited functionality given the `nginx_app_protect_*_policy_file_enable` parameters.
 
 ENHANCEMENTS:
 
-New molecule tests for NGINX App Protect WAF and DoS removal scenarios.
+* Add support of RHEL 8.1+ for NGINX App Protect WAF 3.8.
+* Add support of RHEL 7.4+ and 8.x for NGINX App Protect DoS 2.1.
+* New molecule tests for RHEL 7/8 and for NGINX App Protect WAF/DoS removal scenarios.
 
 BUG FIXES:
 

README.md

@@ -81,6 +81,7 @@ Debian:
   - buster (10)
 RHEL:
   - 7.4+
+  - 8.1+
 Ubuntu:
   - bionic (18.04)
   - focal (20.04)
@@ -97,6 +98,9 @@ CentOS:
   - 7.4+
 Debian:
   - buster (10)
+RHEL:
+  - 7.4+
+  - 8.0+
 Ubuntu:
   - bionic (18.04)
   - focal (20.04)

defaults/main.yml

@@ -19,7 +19,7 @@ nginx_app_protect_waf_setup: install
 # Default is install.
 nginx_app_protect_dos_setup: install
 
-# If you have a RHEL subscription, NGINX App Protect WAF's dependencies will use subscription repos.
+# If you have a RHEL subscription, NGINX App Protect WAF and DoS's dependencies will use subscription repos.
 # Otherwise, it will source packages from CentOS' repositories.
 # Default is false.
 nginx_app_protect_use_rhel_subscription_repos: false

meta/main.yml

@@ -17,6 +17,7 @@ galaxy_info:
     - name: EL
       versions:
         - 7
+        - 8
     - name: Debian
       versions:
         - buster

molecule/advanced/molecule.yml

@@ -19,7 +19,7 @@ platforms:
       - name: molecule-test
   - name: centos-7
     image: centos:7
-    dockerfile: ../Dockerfile.j2
+    dockerfile: ../common/Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
@@ -30,7 +30,7 @@ platforms:
       - name: molecule-test
   - name: debian-buster
     image: debian:buster-slim
-    dockerfile: ../Dockerfile.j2
+    dockerfile: ../common/Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
@@ -41,7 +41,7 @@ platforms:
       - name: molecule-test
   - name: ubuntu-bionic
     image: ubuntu:bionic
-    dockerfile: ../Dockerfile.j2
+    dockerfile: ../common/Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
@@ -52,7 +52,7 @@ platforms:
       - name: molecule-test
   - name: ubuntu-focal
     image: ubuntu:focal
-    dockerfile: ../Dockerfile.j2
+    dockerfile: ../common/Dockerfile.j2
     privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"

molecule/Dockerfile.j2 renamed to molecule/common/Dockerfile.j2

@@ -0,0 +1,32 @@
+---
+- name: Cleanup
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Block
+      block:
+        - name: Wait for containers to be up
+          wait_for_connection:
+            delay: 1
+            timeout: 2
+          register: connection
+          ignore_errors: true
+
+        - name: Containers are not up, quit from here
+          fail:
+          when: connection.failed
+
+        - name: Gather facts
+          setup:
+            gather_subset:
+              - "!all"
+              - "!any"
+              - distribution
+
+        - name: (RHEL) Unregister system from RHEL subscription manager
+          redhat_subscription:
+            state: absent
+          when: ansible_distribution == "RedHat"
+      rescue:
+        - name: It's ok we're at startup
+          meta: noop

molecule/common/cleanup.yml

@@ -5,14 +5,14 @@
   tasks:
     - name: Create ephemeral license certificate file from b64 decoded env var
       copy:
-        content: "{{ lookup('env','NGINX_CRT') | b64decode }}"
+        content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}"
         dest: ../../files/license/nginx-repo.crt
         force: false
         mode: 0444
 
     - name: Create ephemeral license key file from b64 decoded env var
       copy:
-        content: "{{ lookup('env','NGINX_KEY') | b64decode }}"
+        content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}"
         dest: ../../files/license/nginx-repo.key
         force: false
         mode: 0444

molecule/default/prepare.yml renamed to molecule/common/prepare.yml

@@ -1,6 +1,23 @@
 ---
 - name: Converge
   hosts: all
+  vars:
+    rhel_subscription: false
+  pre_tasks:
+    - name: (RHEL) Check if there is a valid RHEL subscription
+      set_fact:
+        rhel_subscription: true
+      when:
+        - lookup('env', 'RHEL_USERNAME') | length > 0
+        - lookup('env', 'RHEL_PASSWORD') | length > 0
+
+    - name: (RHEL) Register system into RHEL subscription manager
+      redhat_subscription:
+        username: "{{ lookup('env', 'RHEL_USERNAME') }}"
+        password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
+      when:
+        - ansible_distribution == "RedHat"
+        - rhel_subscription| bool
   tasks:
     - name: Install NGINX App Protect WAF
       include_role:
@@ -9,6 +26,7 @@
         nginx_app_protect_license:
           certificate: license/nginx-repo.crt
           key: license/nginx-repo.key
+        nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}"
         nginx_app_protect_remove_license: false
         nginx_app_protect_install_signatures: true
         nginx_app_protect_install_threat_campaigns: true