diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml
new file mode 100644
index 0000000000..e7237c354e
--- /dev/null
+++ b/.github/actions/az-sync/action.yml
@@ -0,0 +1,64 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+ az_client_id:
+ description: 'Azure Client ID'
+ required: true
+ az_tenant_id:
+ description: 'Azure Tenant ID'
+ required: true
+ az_subscription_id:
+ description: 'Azure Subscription ID'
+ required: true
+ keyvault:
+ description: 'Azure Key Vault name'
+ required: true
+ secrets-filter:
+ description: 'Filter for secrets to sync (comma-separated patterns)'
+ required: true
+ default: '*'
+runs:
+ using: "composite"
+ steps:
+ - name: Azure login
+ uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+ with:
+ client-id: ${{ inputs.az_client_id }}
+ tenant-id: ${{ inputs.az_tenant_id }}
+ subscription-id: ${{ inputs.az_subscription_id }}
+
+ - name: Sync
+ shell: bash
+ run: |
+ IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+ for pattern in "${array[@]}"; do
+ echo "Processing pattern: $pattern"
+ for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
+ secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
+ # check if value is multiline
+ if [[ "$secret_value" == *$'\n'* ]]; then
+ # Mask each line for multiline secrets
+ while IFS= read -r line; do
+ [[ -n "$line" ]] && echo "::add-mask::${line}"
+ done <<< "$secret_value"
+
+ # Use heredoc syntax for multiline environment variables
+ delimiter="EOF_${secret_name}_$(date +%s)"
+ {
+ echo "${secret_name}<<${delimiter}"
+ echo "$secret_value"
+ echo "$delimiter"
+ } >> $GITHUB_ENV
+ else
+ echo "::add-mask::${secret_value}"
+ echo "$secret_name=$secret_value" >> $GITHUB_ENV
+ fi
+ echo "Synced secret: env.$secret_name"
+ done
+ done
+
+ - name: Azure logout
+ shell: bash
+ run: |
+ az logout
diff --git a/.github/workflows/azure-upload.yml b/.github/workflows/azure-upload.yml
index 002acda5a5..f18fd4d227 100644
--- a/.github/workflows/azure-upload.yml
+++ b/.github/workflows/azure-upload.yml
@@ -21,6 +21,14 @@ jobs:
go-version-file: 'go.mod'
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
- run: npm install semver@7.6.2
+ - name: Get Secrets from Azure Key Vault
+ uses: ./.github/actions/az-sync
+ with:
+ az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+ az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+ az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+ keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+ secrets-filter: 'artifactory'
- name: Setup build environment
run: |
if [ "${{ env.ACT }}" = "true" ]; then
@@ -51,11 +59,7 @@ jobs:
build-args: |
package_type=signed-package
- name: Build Packages
- env:
- INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
- NFPM_SIGNING_KEY_FILE: .key.asc
run: |
- echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
make clean package
- name: Azure Login
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e766d95cda..ca728d88cc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -298,6 +298,14 @@ jobs:
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: 'go.mod'
+ - name: Get Secrets from Azure Key Vault
+ uses: ./.github/actions/az-sync
+ with:
+ az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+ az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+ az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+ keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+ secrets-filter: 'artifactory'
- name: Download Packages
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
@@ -306,9 +314,9 @@ jobs:
- name: Login to Docker Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
- registry: ${{ secrets.TEST_REGISTRY_URL }}
- username: ${{ secrets.REGISTRY_USERNAME }}
- password: ${{ secrets.REGISTRY_PASSWORD }}
+ registry: ${{ env.nginx-private-registry-url }}
+ username: ${{ env.nginx-pkg-jwt }}
+ password: "none"
- name: Set Start Time
run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
- name: Create Directory
@@ -320,8 +328,9 @@ jobs:
- name: Run Integration Tests
run: |
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
- CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
+ CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
+ NGINX_LICENSE_JWT='${{ env.nginx-pkg-jwt }}' \
make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
- name: Generate Test Results
if: always()
@@ -349,6 +358,14 @@ jobs:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Set up Docker Build
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+ - name: Get Secrets from Azure Key Vault
+ uses: ./.github/actions/az-sync
+ with:
+ az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+ az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+ az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+ keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+ secrets-filter: 'artifactory'
- name: Build Docker Image
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
@@ -359,8 +376,8 @@ jobs:
load: true
no-cache: true
secrets: |
- "nginx-crt=${{ secrets.NGINX_CRT }}"
- "nginx-key=${{ secrets.NGINX_KEY }}"
+ "nginx-crt=${{ env.nginx-pkg-certificate }}"
+ "nginx-key=${{ env.nginx-pkg-key }}"
- name: Run Performance Tests
run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0
@@ -375,6 +392,14 @@ jobs:
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: 'go.mod'
+ - name: Get Secrets from Azure Key Vault
+ uses: ./.github/actions/az-sync
+ with:
+ az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+ az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+ az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+ keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+ secrets-filter: 'artifactory'
- name: Setup build environment
run: |
sudo apt-get update
@@ -394,11 +419,7 @@ jobs:
build-args: |
package_type=signed-package
- name: Build Packages
- env:
- INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
- NFPM_SIGNING_KEY_FILE: .key.asc
run: |
- echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
make clean package
- name: Upload Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml
index de0dbc8a55..f179127e08 100644
--- a/.github/workflows/f5-cla.yml
+++ b/.github/workflows/f5-cla.yml
@@ -47,5 +47,5 @@ jobs:
# Do not lock PRs after a merge.
lock-pullrequest-aftermerge: false
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ github.token }}
PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
index 9ba815df07..4099855e28 100644
--- a/.github/workflows/label-pr.yml
+++ b/.github/workflows/label-pr.yml
@@ -18,4 +18,4 @@ jobs:
with:
disable-releaser: true
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 9497dcbb3f..68defb7906 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -47,7 +47,14 @@ jobs:
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: 'go.mod'
-
+ - name: Get Secrets from Azure Key Vault
+ uses: ./.github/actions/az-sync
+ with:
+ az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+ az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+ az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+ keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+ secrets-filter: 'artifactory'
- name: Create Draft Release
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: release
@@ -165,11 +172,7 @@ jobs:
package_type=signed-package
- name: Build Packages
- env:
- INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
- NFPM_SIGNING_KEY_FILE: .key.asc
run: |
- echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
make clean package
- name: Get Id Token
diff --git a/Makefile.packaging b/Makefile.packaging
index 268f46d05e..b68bfca0fd 100644
--- a/Makefile.packaging
+++ b/Makefile.packaging
@@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR):
$(AZURE_PACKAGES_DIR):
@mkdir -p $(AZURE_PACKAGES_DIR)
-package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
+package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
# Create deb packages
@for arch in $(DEB_ARCHS); do \
diff --git a/docs/proto/proto.md b/docs/proto/proto.md
index 702dd2518b..2f92aca70d 100644
--- a/docs/proto/proto.md
+++ b/docs/proto/proto.md
@@ -18,9 +18,6 @@
- [AgentConnectStatus.StatusCode](#f5-nginx-agent-sdk-AgentConnectStatus-StatusCode)
- [AgentLogging.Level](#f5-nginx-agent-sdk-AgentLogging-Level)
-- [command_svc.proto](#command_svc-proto)
- - [Commander](#f5-nginx-agent-sdk-Commander)
-
- [command.proto](#command-proto)
- [AgentActivityStatus](#f5-nginx-agent-sdk-AgentActivityStatus)
- [ChunkedResourceChunk](#f5-nginx-agent-sdk-ChunkedResourceChunk)
@@ -42,6 +39,9 @@
- [NginxConfigStatus.Status](#f5-nginx-agent-sdk-NginxConfigStatus-Status)
- [UploadStatus.TransferStatus](#f5-nginx-agent-sdk-UploadStatus-TransferStatus)
+- [command_svc.proto](#command_svc-proto)
+ - [Commander](#f5-nginx-agent-sdk-Commander)
+
- [common.proto](#common-proto)
- [CertificateDates](#f5-nginx-agent-sdk-CertificateDates)
- [CertificateName](#f5-nginx-agent-sdk-CertificateName)
@@ -341,34 +341,6 @@ Log level enum
-
-Top
-
-## command_svc.proto
-
-
-
-
-
-
-
-
-
-
-
-### Commander
-Represents a service used to sent command messages between the management server and the agent.
-
-| Method Name | Request Type | Response Type | Description |
-| ----------- | ------------ | ------------- | ------------|
-| CommandChannel | [Command](#f5-nginx-agent-sdk-Command) stream | [Command](#f5-nginx-agent-sdk-Command) stream | A Bidirectional streaming RPC established by the agent and is kept open |
-| Download | [DownloadRequest](#f5-nginx-agent-sdk-DownloadRequest) | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | A streaming RPC established by the agent and is used to download resources associated with commands The download stream will be kept open for the duration of the data transfer and will be closed when its done. The transfer is a stream of chunks as follows: header -> data chunk 1 -> data chunk N. Each data chunk is of a size smaller than the maximum gRPC payload |
-| Upload | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | [UploadStatus](#f5-nginx-agent-sdk-UploadStatus) | A streaming RPC established by the agent and is used to upload resources associated with commands |
-
-
-
-
-
Top
@@ -680,6 +652,34 @@ Transfer status enum
+
+Top
+
+## command_svc.proto
+
+
+
+
+
+
+
+
+
+
+
+### Commander
+Represents a service used to sent command messages between the management server and the agent.
+
+| Method Name | Request Type | Response Type | Description |
+| ----------- | ------------ | ------------- | ------------|
+| CommandChannel | [Command](#f5-nginx-agent-sdk-Command) stream | [Command](#f5-nginx-agent-sdk-Command) stream | A Bidirectional streaming RPC established by the agent and is kept open |
+| Download | [DownloadRequest](#f5-nginx-agent-sdk-DownloadRequest) | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | A streaming RPC established by the agent and is used to download resources associated with commands The download stream will be kept open for the duration of the data transfer and will be closed when its done. The transfer is a stream of chunks as follows: header -> data chunk 1 -> data chunk N. Each data chunk is of a size smaller than the maximum gRPC payload |
+| Upload | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | [UploadStatus](#f5-nginx-agent-sdk-UploadStatus) | A streaming RPC established by the agent and is used to upload resources associated with commands |
+
+
+
+
+
Top