diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml new file mode 100644 index 0000000000..f758d99284 --- /dev/null +++ b/.github/actions/az-sync/action.yml @@ -0,0 +1,64 @@ +name: Sync Secrets from Azure Key Vault +author: s.breen +description: az-sync +inputs: + az_client_id: + description: 'Azure Client ID' + required: true + az_tenant_id: + description: 'Azure Tenant ID' + required: true + az_subscription_id: + description: 'Azure Subscription ID' + required: true + keyvault: + description: 'Azure Key Vault name' + required: true + secrets-filter: + description: 'Filter for secrets to sync (comma-separated patterns)' + required: true + default: '*' +runs: + using: "composite" + steps: + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ inputs.az_client_id }} + tenant-id: ${{ inputs.az_tenant_id }} + subscription-id: ${{ inputs.az_subscription_id }} + + - name: Sync + shell: bash + run: | + IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}" + for pattern in "${array[@]}"; do + echo "Processing pattern: $pattern" + for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do + secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv) + # check if value is multiline + if [[ "$secret_value" == *$'\n'* ]]; then + # Mask each line for multiline secrets + while IFS= read -r line; do + [[ -n "$line" ]] && echo "::add-mask::${line}" + done <<< "$secret_value" + + # Use heredoc syntax for multiline environment variables + delimiter="EOF_${secret_name}_$(date +%s)" + { + echo "${secret_name}<<${delimiter}" + echo "$secret_value" + echo "$delimiter" + } >> $GITHUB_ENV + else + echo "::add-mask::${secret_value}" + echo "$secret_name=$secret_value" >> $GITHUB_ENV + fi + echo "Synced secret: env.$secret_name" + done + done + + - name: Azure logout + shell: bash + run: | + az logout diff --git a/.github/workflows/azure-upload.yml b/.github/workflows/azure-upload.yml index 002acda5a5..4b567bb6fd 100644 --- a/.github/workflows/azure-upload.yml +++ b/.github/workflows/azure-upload.yml @@ -51,11 +51,7 @@ jobs: build-args: | package_type=signed-package - name: Build Packages - env: - INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }} - NFPM_SIGNING_KEY_FILE: .key.asc run: | - echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc make clean package - name: Azure Login uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e766d95cda..d35849a29e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -271,6 +271,8 @@ jobs: name: Integration Tests - Official Plus Images needs: build-unsigned-snapshot runs-on: ubuntu-24.04 + permissions: + id-token: write # for OIDC authentication if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }} strategy: fail-fast: false @@ -303,12 +305,32 @@ jobs: with: name: nginx-agent-unsigned-snapshots path: build + + - name: Get Secrets from Agent Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' + + - name: Sync Secrets from Common Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }} + secrets-filter: 'docker,nginx-private-registry,nginx-pkg' + - name: Login to Docker Registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - registry: ${{ secrets.TEST_REGISTRY_URL }} - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} + registry: ${{ env.nginx-private-registry-url }} + username: ${{ env.nginx-pkg-jwt }} + password: "none" + - name: Set Start Time run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV} - name: Create Directory @@ -320,7 +342,7 @@ jobs: - name: Run Integration Tests run: | go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }} - CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \ + CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \ OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \ make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}" - name: Generate Test Results @@ -345,10 +367,20 @@ jobs: name: Performance Tests if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }} runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Set up Docker Build uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + - name: Sync Secrets from Common Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }} + secrets-filter: 'nginx-pkg' - name: Build Docker Image uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: @@ -359,8 +391,8 @@ jobs: load: true no-cache: true secrets: | - "nginx-crt=${{ secrets.NGINX_CRT }}" - "nginx-key=${{ secrets.NGINX_KEY }}" + "nginx-crt=${{ env.nginx-pkg-certificate}}" + "nginx-key=${{ env.nginx-pkg-key }}" - name: Run Performance Tests run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0 @@ -394,11 +426,7 @@ jobs: build-args: | package_type=signed-package - name: Build Packages - env: - INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }} - NFPM_SIGNING_KEY_FILE: .key.asc run: | - echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc make clean package - name: Upload Artifacts uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml index de0dbc8a55..f179127e08 100644 --- a/.github/workflows/f5-cla.yml +++ b/.github/workflows/f5-cla.yml @@ -47,5 +47,5 @@ jobs: # Do not lock PRs after a merge. lock-pullrequest-aftermerge: false env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 9ba815df07..4099855e28 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -18,4 +18,4 @@ jobs: with: disable-releaser: true env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 9497dcbb3f..087a45e256 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -165,11 +165,7 @@ jobs: package_type=signed-package - name: Build Packages - env: - INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }} - NFPM_SIGNING_KEY_FILE: .key.asc run: | - echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc make clean package - name: Get Id Token @@ -184,7 +180,7 @@ jobs: - name: Publish Release Packages if: ${{ inputs.publishPackages == true }} env: - TOKEN: ${{ steps.idtoken.outputs.id_token }} + TOKEN: ${{ github.token }} UPLOAD_URL: "https://up-ap.nginx.com" run: | make release diff --git a/.nfpm.yaml b/.nfpm.yaml index e5875fa00e..0a16c22747 100644 --- a/.nfpm.yaml +++ b/.nfpm.yaml @@ -39,15 +39,8 @@ overrides: depends: - apt-transport-https deb: - signature: - method: dpkg-sig - key_file: ".key.asc" rpm: - signature: - key_file: ".key.asc" apk: - signature: - key_file: ".key.rsa" scripts: postupgrade: "./scripts/packages/postupgrade.sh" scripts: diff --git a/Makefile.packaging b/Makefile.packaging index 268f46d05e..b68bfca0fd 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR): $(AZURE_PACKAGES_DIR): @mkdir -p $(AZURE_PACKAGES_DIR) -package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros +package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros # Create deb packages @for arch in $(DEB_ARCHS); do \ diff --git a/scripts/packages/packager/signed-entrypoint.sh b/scripts/packages/packager/signed-entrypoint.sh index bd2f0a9700..db4cfda4c8 100644 --- a/scripts/packages/packager/signed-entrypoint.sh +++ b/scripts/packages/packager/signed-entrypoint.sh @@ -39,7 +39,7 @@ for freebsd_abi in $FREEBSD_DISTROS; do \ -p staging/plist \ -o ./build/packages/txz/"$freebsd_abi"; \ # create freebsd pkg repo layout - pkg repo ./build/packages/txz/"$freebsd_abi" .key.rsa; \ + pkg repo ./build/packages/txz/"$freebsd_abi"; \ # Creating symbolic link from txz to pkg. In older versions of pkg the extension would represent the format of the file # but since version 1.17.0 pkg will now always create a file with the extesion pkg no matter what the format is. # See 1.17.0 release notes for more info: https://cgit.freebsd.org/ports/commit/?id=e497a16a286972bfcab908209b11ee6a13d99dc9