az migration

aphralG · aphralG · commit a1d1d34a9c28 · 2026-02-05T11:25:56.000Z
diff --git a/.github/workflows/azure-action.yml b/.github/workflows/azure-action.yml
@@ -0,0 +1,64 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+    az_client_id:
+        description: 'Azure Client ID'
+        required: true
+    az_tenant_id:
+        description: 'Azure Tenant ID'
+        required: true
+    az_subscription_id:
+        description: 'Azure Subscription ID'
+        required: true
+    keyvault:
+        description: 'Azure Key Vault name'
+        required: true
+    secrets-filter:
+        description: 'Filter for secrets to sync (comma-separated patterns)'
+        required: true
+        default: '*'
+runs:
+    using: "composite"
+    steps:
+        - name: Azure login
+          uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+          with:
+              client-id: ${{ inputs.az_client_id }}
+              tenant-id: ${{ inputs.az_tenant_id }}
+              subscription-id: ${{ inputs.az_subscription_id }}
+
+        - name: Sync
+          shell: bash
+          run: |
+              IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+                for pattern in "${array[@]}"; do
+                  echo "Processing pattern: $pattern"
+                  for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
+                    secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
+                    # check if value is multiline
+                    if [[ "$secret_value" == *$'\n'* ]]; then
+                      # Mask each line for multiline secrets
+                      while IFS= read -r line; do
+                      [[ -n "$line" ]] && echo "::add-mask::${line}"
+                      done <<< "$secret_value"
+              
+                      # Use heredoc syntax for multiline environment variables
+                      delimiter="EOF_${secret_name}_$(date +%s)"
+                      {
+                        echo "${secret_name}<<${delimiter}"
+                        echo "$secret_value"
+                        echo "$delimiter"
+                      } >> $GITHUB_ENV
+                    else
+                      echo "::add-mask::${secret_value}"
+                      echo "$secret_name=$secret_value" >> $GITHUB_ENV
+                    fi
+                    echo "Synced secret: env.$secret_name"
+                  done
+                done
+
+        - name: Azure logout
+          shell: bash
+          run: |
+              az logout
diff --git a/.github/workflows/azure-upload.yml b/.github/workflows/azure-upload.yml
@@ -21,6 +21,14 @@ jobs:
           go-version-file: 'go.mod'
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       - run: npm install semver@7.6.2
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/workflows/azure-action.yml
+        with:
+            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+            keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+            secrets-filter: 'artifactory'
       - name: Setup build environment
         run: |
           if [ "${{ env.ACT }}" = "true" ]; then
@@ -51,11 +59,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Azure Login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -298,6 +298,14 @@ jobs:
           - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
             with:
                 go-version-file: 'go.mod'
+          - name: Get Secrets from Azure Key Vault
+            uses: ./.github/workflows/azure-action.yml
+            with:
+                  az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+                  az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+                  az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+                  keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+                  secrets-filter: 'artifactory'
           - name: Download Packages
             uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
             with:
@@ -306,9 +314,9 @@ jobs:
           - name: Login to Docker Registry
             uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
             with:
-                registry: ${{ secrets.TEST_REGISTRY_URL }}
-                username: ${{ secrets.REGISTRY_USERNAME }}
-                password: ${{ secrets.REGISTRY_PASSWORD }}
+                registry: ${{ env.nginx-private-registry-url }}
+                username: ${{ env.nginx-pkg-jwt }}
+                password: "none"
           - name: Set Start Time
             run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
           - name: Create Directory
@@ -320,8 +328,9 @@ jobs:
           - name: Run Integration Tests
             run: |
                 go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
-                CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
+                CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
                 OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
+                 NGINX_LICENSE_JWT='${{ env.nginx-pkg-jwt }}' \
                   make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
           - name: Generate Test Results
             if: always()
@@ -349,6 +358,14 @@ jobs:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Docker Build
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/workflows/azure-action.yml
+        with:
+              az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+              az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+              az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+              keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+              secrets-filter: 'artifactory'
       - name: Build Docker Image
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
@@ -359,8 +376,8 @@ jobs:
           load: true
           no-cache: true
           secrets: |
-            "nginx-crt=${{ secrets.NGINX_CRT }}"
-            "nginx-key=${{ secrets.NGINX_KEY }}"
+            "nginx-crt=${{ env.nginx-pkg-certificate }}"
+            "nginx-key=${{ env.nginx-pkg-key }}"
       - name: Run Performance Tests
         run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0
 
@@ -375,6 +392,14 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: 'go.mod'
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/workflows/azure-action.yml
+        with:
+            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+            keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+            secrets-filter: 'artifactory'
       - name: Setup build environment
         run: |
           sudo apt-get update
@@ -394,11 +419,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Upload Artifacts
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml
@@ -47,5 +47,5 @@ jobs:
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
@@ -18,4 +18,4 @@ jobs:
         with:
           disable-releaser: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
@@ -47,7 +47,14 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: 'go.mod'
-
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/workflows/azure-action.yml
+        with:
+            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+            keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+            secrets-filter: 'artifactory'
       - name: Create Draft Release
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: release
@@ -165,11 +172,7 @@ jobs:
             package_type=signed-package
 
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
 
       - name: Get Id Token
diff --git a/Makefile.packaging b/Makefile.packaging
@@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR):
 $(AZURE_PACKAGES_DIR):
 	@mkdir -p $(AZURE_PACKAGES_DIR)
 
-package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
+package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
 	# Create deb packages
 	
 	@for arch in $(DEB_ARCHS); do \
