Merge pull request #1509 from nginx/dev-v2-secrets

sean-breen · web-flow · commit e70e1fb33d05 · 2026-02-05T14:43:50.000Z
[dev-v2] fix secrets
diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml
@@ -0,0 +1,64 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+  az_client_id:
+    description: 'Azure Client ID'
+    required: true
+  az_tenant_id:
+    description: 'Azure Tenant ID'
+    required: true
+  az_subscription_id:
+    description: 'Azure Subscription ID'
+    required: true
+  keyvault:
+    description: 'Azure Key Vault name'
+    required: true
+  secrets-filter:
+    description: 'Filter for secrets to sync (comma-separated patterns)'
+    required: true
+    default: '*'
+runs:
+  using: "composite"
+  steps:
+    - name: Azure login
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      with:
+        client-id: ${{ inputs.az_client_id }}
+        tenant-id: ${{ inputs.az_tenant_id }}
+        subscription-id: ${{ inputs.az_subscription_id }}
+
+    - name: Sync
+      shell: bash
+      run: |
+        IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+          for pattern in "${array[@]}"; do
+            echo "Processing pattern: $pattern"
+            for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
+              secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
+              # check if value is multiline
+              if [[ "$secret_value" == *$'\n'* ]]; then
+                # Mask each line for multiline secrets
+                while IFS= read -r line; do
+                [[ -n "$line" ]] && echo "::add-mask::${line}"
+                done <<< "$secret_value"
+          
+                # Use heredoc syntax for multiline environment variables
+                delimiter="EOF_${secret_name}_$(date +%s)"
+                {
+                  echo "${secret_name}<<${delimiter}"
+                  echo "$secret_value"
+                  echo "$delimiter"
+                } >> $GITHUB_ENV
+              else
+                echo "::add-mask::${secret_value}"
+                echo "$secret_name=$secret_value" >> $GITHUB_ENV
+              fi
+              echo "Synced secret: env.$secret_name"
+            done
+          done
+
+    - name: Azure logout
+      shell: bash
+      run: |
+        az logout
diff --git a/.github/workflows/azure-upload.yml b/.github/workflows/azure-upload.yml
@@ -51,11 +51,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Azure Login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -271,6 +271,8 @@ jobs:
       name: Integration Tests - Official Plus Images
       needs: build-unsigned-snapshot
       runs-on: ubuntu-24.04
+      permissions:
+        id-token: write  # for OIDC authentication
       if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
       strategy:
           fail-fast: false
@@ -303,12 +305,32 @@ jobs:
             with:
                 name: nginx-agent-unsigned-snapshots
                 path: build
+
+          - name: Get Secrets from Agent Key Vault
+            uses: ./.github/actions/az-sync
+            with:
+              az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+              az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+              az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+              keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+              secrets-filter: 'artifactory'
+
+          - name: Sync Secrets from Common Key Vault
+            uses: ./.github/actions/az-sync
+            with:
+              az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+              az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+              az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+              keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
+              secrets-filter: 'docker,nginx-private-registry,nginx-pkg'
+
           - name: Login to Docker Registry
-            uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+            uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
             with:
-                registry: ${{ secrets.TEST_REGISTRY_URL }}
-                username: ${{ secrets.REGISTRY_USERNAME }}
-                password: ${{ secrets.REGISTRY_PASSWORD }}
+              registry: ${{ env.nginx-private-registry-url }}
+              username: ${{ env.nginx-pkg-jwt }}
+              password: "none"
+
           - name: Set Start Time
             run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
           - name: Create Directory
@@ -320,7 +342,7 @@ jobs:
           - name: Run Integration Tests
             run: |
                 go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
-                CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
+                CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
                 OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
                   make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
           - name: Generate Test Results
@@ -345,10 +367,20 @@ jobs:
     name: Performance Tests
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write  # for OIDC authentication
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Docker Build
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      - name: Sync Secrets from Common Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
+          secrets-filter: 'nginx-pkg'
       - name: Build Docker Image
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
@@ -359,8 +391,8 @@ jobs:
           load: true
           no-cache: true
           secrets: |
-            "nginx-crt=${{ secrets.NGINX_CRT }}"
-            "nginx-key=${{ secrets.NGINX_KEY }}"
+            "nginx-crt=${{ env.nginx-pkg-certificate}}"
+            "nginx-key=${{ env.nginx-pkg-key }}"
       - name: Run Performance Tests
         run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0
 
@@ -394,11 +426,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Upload Artifacts
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml
@@ -47,5 +47,5 @@ jobs:
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
@@ -18,4 +18,4 @@ jobs:
         with:
           disable-releaser: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
@@ -165,11 +165,7 @@ jobs:
             package_type=signed-package
 
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
 
       - name: Get Id Token
@@ -184,7 +180,7 @@ jobs:
       - name: Publish Release Packages
         if: ${{ inputs.publishPackages == true }}
         env:
-          TOKEN: ${{ steps.idtoken.outputs.id_token }}
+          TOKEN: ${{ github.token }}
           UPLOAD_URL: "https://up-ap.nginx.com"
         run: |
           make release
diff --git a/.nfpm.yaml b/.nfpm.yaml
@@ -39,15 +39,8 @@ overrides:
     depends:
       - apt-transport-https
 deb:
-  signature:
-    method: dpkg-sig
-    key_file: ".key.asc"
 rpm:
-  signature:
-    key_file: ".key.asc"
 apk:
-  signature:
-    key_file: ".key.rsa"
   scripts:
     postupgrade: "./scripts/packages/postupgrade.sh"
 scripts:
diff --git a/Makefile.packaging b/Makefile.packaging
@@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR):
 $(AZURE_PACKAGES_DIR):
 	@mkdir -p $(AZURE_PACKAGES_DIR)
 
-package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
+package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
 	# Create deb packages
 	
 	@for arch in $(DEB_ARCHS); do \
diff --git a/scripts/packages/packager/signed-entrypoint.sh b/scripts/packages/packager/signed-entrypoint.sh
@@ -39,7 +39,7 @@ for freebsd_abi in $FREEBSD_DISTROS; do \
         -p staging/plist \
         -o ./build/packages/txz/"$freebsd_abi"; \
     # create freebsd pkg repo layout
-    pkg repo ./build/packages/txz/"$freebsd_abi" .key.rsa; \
+    pkg repo ./build/packages/txz/"$freebsd_abi"; \
     # Creating symbolic link from txz to pkg. In older versions of pkg the extension would represent the format of the file
     # but since version 1.17.0 pkg will now always create a file with the extesion pkg no matter what the format is.
     # See 1.17.0 release notes for more info: https://cgit.freebsd.org/ports/commit/?id=e497a16a286972bfcab908209b11ee6a13d99dc9
