Merge branch 'dev-v2' into update-config-file-dep-review-v2

Author: dhurley

.github/actions/az-sync/action.yml

@@ -0,0 +1,64 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+  az_client_id:
+    description: 'Azure Client ID'
+    required: true
+  az_tenant_id:
+    description: 'Azure Tenant ID'
+    required: true
+  az_subscription_id:
+    description: 'Azure Subscription ID'
+    required: true
+  keyvault:
+    description: 'Azure Key Vault name'
+    required: true
+  secrets-filter:
+    description: 'Filter for secrets to sync (comma-separated patterns)'
+    required: true
+    default: '*'
+runs:
+  using: "composite"
+  steps:
+    - name: Azure login
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      with:
+        client-id: ${{ inputs.az_client_id }}
+        tenant-id: ${{ inputs.az_tenant_id }}
+        subscription-id: ${{ inputs.az_subscription_id }}
+
+    - name: Sync
+      shell: bash
+      run: |
+        IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+          for pattern in "${array[@]}"; do
+            echo "Processing pattern: $pattern"
+            for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
+              secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
+              # check if value is multiline
+              if [[ "$secret_value" == *$'\n'* ]]; then
+                # Mask each line for multiline secrets
+                while IFS= read -r line; do
+                [[ -n "$line" ]] && echo "::add-mask::${line}"
+                done <<< "$secret_value"
+          
+                # Use heredoc syntax for multiline environment variables
+                delimiter="EOF_${secret_name}_$(date +%s)"
+                {
+                  echo "${secret_name}<<${delimiter}"
+                  echo "$secret_value"
+                  echo "$delimiter"
+                } >> $GITHUB_ENV
+              else
+                echo "::add-mask::${secret_value}"
+                echo "$secret_name=$secret_value" >> $GITHUB_ENV
+              fi
+              echo "Synced secret: env.$secret_name"
+            done
+          done
+
+    - name: Azure logout
+      shell: bash
+      run: |
+        az logout

.github/workflows/azure-upload.yml

@@ -51,11 +51,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Azure Login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0

.github/workflows/ci.yml

@@ -271,6 +271,8 @@ jobs:
       name: Integration Tests - Official Plus Images
       needs: build-unsigned-snapshot
       runs-on: ubuntu-24.04
+      permissions:
+        id-token: write  # for OIDC authentication
       if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
       strategy:
           fail-fast: false
@@ -303,12 +305,32 @@ jobs:
             with:
                 name: nginx-agent-unsigned-snapshots
                 path: build
+
+          - name: Get Secrets from Agent Key Vault
+            uses: ./.github/actions/az-sync
+            with:
+              az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+              az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+              az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+              keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+              secrets-filter: 'artifactory'
+
+          - name: Sync Secrets from Common Key Vault
+            uses: ./.github/actions/az-sync
+            with:
+              az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+              az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+              az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+              keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
+              secrets-filter: 'docker,nginx-private-registry,nginx-pkg'
+
           - name: Login to Docker Registry
-            uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+            uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
             with:
-                registry: ${{ secrets.TEST_REGISTRY_URL }}
-                username: ${{ secrets.REGISTRY_USERNAME }}
-                password: ${{ secrets.REGISTRY_PASSWORD }}
+              registry: ${{ env.nginx-private-registry-url }}
+              username: ${{ env.nginx-pkg-jwt }}
+              password: "none"
+
           - name: Set Start Time
             run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
           - name: Create Directory
@@ -320,7 +342,7 @@ jobs:
           - name: Run Integration Tests
             run: |
                 go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
-                CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
+                CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
                 OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
                   make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
           - name: Generate Test Results
@@ -345,10 +367,20 @@ jobs:
     name: Performance Tests
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write  # for OIDC authentication
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Docker Build
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      - name: Sync Secrets from Common Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
+          secrets-filter: 'nginx-pkg'
       - name: Build Docker Image
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
@@ -359,8 +391,8 @@ jobs:
           load: true
           no-cache: true
           secrets: |
-            "nginx-crt=${{ secrets.NGINX_CRT }}"
-            "nginx-key=${{ secrets.NGINX_KEY }}"
+            "nginx-crt=${{ env.nginx-pkg-certificate}}"
+            "nginx-key=${{ env.nginx-pkg-key }}"
       - name: Run Performance Tests
         run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0
 
@@ -394,11 +426,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Upload Artifacts
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3

.github/workflows/f5-cla.yml

@@ -47,5 +47,5 @@ jobs:
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}

.github/workflows/label-pr.yml

@@ -18,4 +18,4 @@ jobs:
         with:
           disable-releaser: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/release-branch.yml

@@ -165,11 +165,7 @@ jobs:
             package_type=signed-package
 
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
 
       - name: Get Id Token
@@ -184,7 +180,7 @@ jobs:
       - name: Publish Release Packages
         if: ${{ inputs.publishPackages == true }}
         env:
-          TOKEN: ${{ steps.idtoken.outputs.id_token }}
+          TOKEN: ${{ github.token }}
           UPLOAD_URL: "https://up-ap.nginx.com"
         run: |
           make release

.nfpm.yaml

@@ -39,15 +39,8 @@ overrides:
     depends:
       - apt-transport-https
 deb:
-  signature:
-    method: dpkg-sig
-    key_file: ".key.asc"
 rpm:
-  signature:
-    key_file: ".key.asc"
 apk:
-  signature:
-    key_file: ".key.rsa"
   scripts:
     postupgrade: "./scripts/packages/postupgrade.sh"
 scripts:

Makefile.packaging

@@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR):
 $(AZURE_PACKAGES_DIR):
 	@mkdir -p $(AZURE_PACKAGES_DIR)
 
-package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
+package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
 	# Create deb packages
 
 	@for arch in $(DEB_ARCHS); do \

docs/proto/proto.md

@@ -18,9 +18,6 @@
     - [AgentConnectStatus.StatusCode](#f5-nginx-agent-sdk-AgentConnectStatus-StatusCode)
     - [AgentLogging.Level](#f5-nginx-agent-sdk-AgentLogging-Level)
 
-- [command_svc.proto](#command_svc-proto)
-    - [Commander](#f5-nginx-agent-sdk-Commander)
-  
 - [command.proto](#command-proto)
     - [AgentActivityStatus](#f5-nginx-agent-sdk-AgentActivityStatus)
     - [ChunkedResourceChunk](#f5-nginx-agent-sdk-ChunkedResourceChunk)
@@ -42,6 +39,9 @@
     - [NginxConfigStatus.Status](#f5-nginx-agent-sdk-NginxConfigStatus-Status)
     - [UploadStatus.TransferStatus](#f5-nginx-agent-sdk-UploadStatus-TransferStatus)
 
+- [command_svc.proto](#command_svc-proto)
+    - [Commander](#f5-nginx-agent-sdk-Commander)
+  
 - [common.proto](#common-proto)
     - [CertificateDates](#f5-nginx-agent-sdk-CertificateDates)
     - [CertificateName](#f5-nginx-agent-sdk-CertificateName)
@@ -341,34 +341,6 @@ Log level enum
 
 
 
-<a name="command_svc-proto"></a>
-<p align="right"><a href="#top">Top</a></p>
-
-## command_svc.proto
-
-
- 
-
- 
-
- 
-
-
-<a name="f5-nginx-agent-sdk-Commander"></a>
-
-### Commander
-Represents a service used to sent command messages between the management server and the agent.
-
-| Method Name | Request Type | Response Type | Description |
-| ----------- | ------------ | ------------- | ------------|
-| CommandChannel | [Command](#f5-nginx-agent-sdk-Command) stream | [Command](#f5-nginx-agent-sdk-Command) stream | A Bidirectional streaming RPC established by the agent and is kept open |
-| Download | [DownloadRequest](#f5-nginx-agent-sdk-DownloadRequest) | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | A streaming RPC established by the agent and is used to download resources associated with commands The download stream will be kept open for the duration of the data transfer and will be closed when its done. The transfer is a stream of chunks as follows: header -&gt; data chunk 1 -&gt; data chunk N. Each data chunk is of a size smaller than the maximum gRPC payload |
-| Upload | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | [UploadStatus](#f5-nginx-agent-sdk-UploadStatus) | A streaming RPC established by the agent and is used to upload resources associated with commands |
-
- 
-
-
-
 <a name="command-proto"></a>
 <p align="right"><a href="#top">Top</a></p>
 
@@ -680,6 +652,34 @@ Transfer status enum
 
 
 
+<a name="command_svc-proto"></a>
+<p align="right"><a href="#top">Top</a></p>
+
+## command_svc.proto
+
+
+ 
+
+ 
+
+ 
+
+
+<a name="f5-nginx-agent-sdk-Commander"></a>
+
+### Commander
+Represents a service used to sent command messages between the management server and the agent.
+
+| Method Name | Request Type | Response Type | Description |
+| ----------- | ------------ | ------------- | ------------|
+| CommandChannel | [Command](#f5-nginx-agent-sdk-Command) stream | [Command](#f5-nginx-agent-sdk-Command) stream | A Bidirectional streaming RPC established by the agent and is kept open |
+| Download | [DownloadRequest](#f5-nginx-agent-sdk-DownloadRequest) | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | A streaming RPC established by the agent and is used to download resources associated with commands The download stream will be kept open for the duration of the data transfer and will be closed when its done. The transfer is a stream of chunks as follows: header -&gt; data chunk 1 -&gt; data chunk N. Each data chunk is of a size smaller than the maximum gRPC payload |
+| Upload | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | [UploadStatus](#f5-nginx-agent-sdk-UploadStatus) | A streaming RPC established by the agent and is used to upload resources associated with commands |
+
+ 
+
+
+
 <a name="common-proto"></a>
 <p align="right"><a href="#top">Top</a></p>
 

go.mod

@@ -2,7 +2,7 @@ module github.com/nginx/agent/v2
 
 go 1.24.2
 
-toolchain go1.24.11
+toolchain go1.24.12
 
 require (
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect