Skip to content

MIgrate NGINX Plus secrets to Azure Vault #8517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+221 −40
Open

MIgrate NGINX Plus secrets to Azure Vault #8517

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8a5a710
Update CRT and KEY to use az
AlexFenlon Nov 10, 2025
8e36d74
Mask file contents
pdabelf5 Nov 13, 2025
314ac66
change line break symbol
pdabelf5 Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 70 additions & 7 deletions .github/workflows/build-base-images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,30 @@ jobs:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}

- name: Setup secrets
id: secrets
run: |
echo "Setting secrets for job"
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$PLUS_CREDS"
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${CERT}"
echo $CERT > nginx-repo.crt
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${KEY}"
echo $KEY > nginx-repo.key

- name: Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

Expand Down Expand Up @@ -171,9 +195,14 @@ jobs:
build-args: |
BUILD_OS=${{ matrix.image }}
IC_VERSION=${{ needs.checks.outputs.ic_version }}
secrets: |
"nginx-repo.crt=${{ secrets.NGINX_CRT }}"
"nginx-repo.key=${{ secrets.NGINX_KEY }}"
secret-files: |
nginx-repo.crt=nginx-repo.crt
nginx-repo.key=nginx-repo.key

- name: Clean up secrets
run: |
rm -f nginx-repo.crt nginx-repo.key
if: always()

build-plus-nap:
name: Build Plus NAP base images
Expand All @@ -190,6 +219,35 @@ jobs:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}

- name: Setup secrets
id: secrets
run: |
echo "Setting secrets for job"
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$PLUS_CREDS"
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${CERT}"
echo $CERT > nginx-repo.crt
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${KEY}"
echo $KEY > nginx-repo.key
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
while read -r line; do
echo "::add-mask::${line}"
done <<< "${RHEL_CREDS}"
echo $RHEL_CREDS > rhel_license

- name: Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

Expand Down Expand Up @@ -242,7 +300,12 @@ jobs:
BUILD_OS=${{ matrix.image }}
IC_VERSION=${{ needs.checks.outputs.ic_version }}
NAP_MODULES=${{ matrix.nap_modules }}
secrets: |
"nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}"
"nginx-repo.key=${{ secrets.NGINX_AP_KEY }}"
${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
secret-files: |
nginx-repo.crt=nginx-repo.crt
nginx-repo.key=nginx-repo.key
${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }}

- name: Clean up secrets
run: |
rm -f nginx-repo.crt nginx-repo.key rhel_license
if: always()
52 changes: 44 additions & 8 deletions .github/workflows/build-plus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,37 @@ jobs:
ref: ${{ inputs.branch }}
fetch-depth: 0

- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
if: ${{ inputs.authenticated }}

- name: Setup secrets
id: secrets
run: |
echo "Setting secrets for job"
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$PLUS_CREDS"
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${CERT}"
echo $CERT > nginx-repo.crt
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${KEY}"
echo $KEY > nginx-repo.key
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
while read -r line; do
echo "::add-mask::${line}"
done <<< "${RHEL_CREDS}"
echo $RHEL_CREDS > rhel_license
if: ${{ inputs.authenticated }}

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
Expand Down Expand Up @@ -154,10 +185,10 @@ jobs:
BUILD_OS=${{ inputs.image }}
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
secrets: |
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
secret-files: |
nginx-repo.crt=nginx-repo.crt
nginx-repo.key=nginx-repo.key
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }}

- name: Debug values
Expand Down Expand Up @@ -199,10 +230,10 @@ jobs:
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
secrets: |
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
secret-files: |
nginx-repo.crt=nginx-repo.crt
nginx-repo.key=nginx-repo.key
${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}

- name: Make directory for security scan results
Expand All @@ -222,3 +253,8 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Clean up secrets
run: |
rm -f nginx-repo.crt nginx-repo.key rhel_license
if: always()
51 changes: 33 additions & 18 deletions .github/workflows/build-single-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,17 +79,35 @@ jobs:
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Setup plus credentials
- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
if: ${{ contains(inputs.target, 'plus') }}

- name: Setup secrets
id: secrets
run: |
printf '%s\n' "${CERT}" > nginx-repo.crt
printf '%s\n' "${KEY}" > nginx-repo.key
if [[ "${{ inputs.target }}" =~ ubi ]]; then
printf '%s\n' "${RHEL}" > rhel_license
fi
env:
CERT: ${{ secrets.NGINX_CRT }}
KEY: ${{ secrets.NGINX_KEY }}
RHEL: ${{ secrets.RHEL_LICENSE }}
echo "Setting secrets for job"
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$PLUS_CREDS"
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${CERT}"
echo $CERT > nginx-repo.crt
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${KEY}"
echo $KEY > nginx-repo.key
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
while read -r line; do
echo "::add-mask::${line}"
done <<< "${RHEL_CREDS}"
echo $RHEL_CREDS > rhel_license
if: ${{ contains(inputs.target, 'plus') }}

- name: Fetch Cached Binary Artifacts
Expand All @@ -107,14 +125,6 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPATH: ${{ steps.vars.outputs.go_path }}
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}"
if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }}

Expand Down Expand Up @@ -142,3 +152,8 @@ jobs:
REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
PREFIX: ${{ inputs.prefix }}
TAG: ${{ inputs.tag }}

- name: Clean up secrets
run: |
rm -f nginx-repo.crt nginx-repo.key rhel_license
if: always()
37 changes: 34 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,32 @@ jobs:
with:
version: 'v3.18.6'

- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}

- name: Setup secrets
id: secrets
run: |
echo "Setting secrets for job"
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$PLUS_CREDS"
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${CERT}"
echo $CERT > nginx-repo.crt
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${KEY}"
echo $KEY > nginx-repo.key
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
Expand Down Expand Up @@ -490,9 +516,9 @@ jobs:
build-args: |
BUILD_OS=${{ matrix.base-os }}
IC_VERSION=CI
secrets: |
${{ matrix.type == 'plus' && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
${{ matrix.type == 'plus' && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
secret-files: |
${{ matrix.type == 'plus' && 'nginx-repo.crt=nginx-repo.crt' || '' }}
${{ matrix.type == 'plus' && 'nginx-repo.key=nginx-repo.key' || '' }}
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}

- name: Deploy Kubernetes
Expand Down Expand Up @@ -551,6 +577,11 @@ jobs:
done
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}

- name: Clean up secrets
run: |
rm -f nginx-repo.crt nginx-repo.key
if: always()

setup-matrix:
if: ${{ inputs.force || (inputs.run_tests && inputs.run_tests || true) || needs.checks.outputs.docs_only != 'true' }}
name: Setup Matrix for Smoke Tests
Expand Down
44 changes: 40 additions & 4 deletions .github/workflows/setup-smoke.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,37 @@ jobs:
echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT
echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT

- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
if: ${{ inputs.authenticated }}

- name: Setup secrets
id: secrets
run: |
echo "Setting secrets for job"
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$PLUS_CREDS"
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${CERT}"
echo $CERT > nginx-repo.crt
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${KEY}"
echo $KEY > nginx-repo.key
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
while read -r line; do
echo "::add-mask::${line}"
done <<< "${RHEL_CREDS}"
echo $RHEL_CREDS > rhel_license
if: ${{ inputs.authenticated }}

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
Expand Down Expand Up @@ -144,10 +175,10 @@ jobs:
IC_VERSION=CI
${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
secrets: |
${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }}
${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }}
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
secret-files: |
nginx-repo.crt=nginx-repo.crt
nginx-repo.key=nginx-repo.key
${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
if: ${{ !inputs.authenticated }}

- name: Generate WAF v5 tgz from JSON
Expand Down Expand Up @@ -177,3 +208,8 @@ jobs:
name: ${{ steps.smoke-tests.outputs.test-results-name }}
path: ${{ steps.smoke-tests.outputs.test-results-path }}
if: ${{ !cancelled() && steps.stable_exists.outputs.exists != 'true' }}

- name: Clean up secrets
run: |
rm -f nginx-repo.crt nginx-repo.key rhel_license
if: always()
Loading