Skip to content

Commit f366ab5

Browse files
authored
Merge pull request #8 from akananth/main
merge ngnx
2 parents e82d9e9 + 7be318b commit f366ab5

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

55 files changed

+4058
-536
lines changed

.github/workflows/apply-napv5.yml

Lines changed: 376 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,376 @@
1+
name: "NGINX NAP/NIC-V5 Deployment"
2+
on:
3+
push:
4+
branches: [apply-nap]
5+
env:
6+
AWS_REGION: us-east-1
7+
jobs:
8+
bootstrap_infra:
9+
name: "Bootstrap S3/DynamoDB"
10+
runs-on: ubuntu-latest
11+
defaults:
12+
run:
13+
working-directory: ./s3
14+
steps:
15+
- name: Checkout code
16+
uses: actions/checkout@v4
17+
18+
- name: Configure AWS Credentials
19+
uses: aws-actions/configure-aws-credentials@v3
20+
with:
21+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
22+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
23+
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
24+
aws-region: ${{ env.AWS_REGION }}
25+
26+
- name: Setup Terraform
27+
uses: hashicorp/setup-terraform@v3
28+
29+
- name: Initialize Terraform (S3 Backend)
30+
run: |
31+
terraform init
32+
33+
- name: Terraform Plan
34+
run: terraform plan -no-color -input=false -out=tfplan
35+
36+
- name: Check for Changes
37+
id: check_changes
38+
run: |
39+
if grep -q "No changes." <(terraform show -no-color tfplan); then
40+
echo "has_changes=false" >> $GITHUB_OUTPUT
41+
else
42+
echo "has_changes=true" >> $GITHUB_OUTPUT
43+
fi
44+
45+
- name: Terraform Apply
46+
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
47+
run: terraform apply -auto-approve tfplan
48+
49+
50+
51+
terraform_infra:
52+
name: "AWS Infra"
53+
runs-on: ubuntu-latest
54+
needs: bootstrap_infra
55+
permissions:
56+
contents: read
57+
defaults:
58+
run:
59+
working-directory: ./infra
60+
61+
steps:
62+
- name: Checkout code
63+
uses: actions/checkout@v4
64+
65+
- name: Configure AWS Credentials
66+
uses: aws-actions/configure-aws-credentials@v3
67+
with:
68+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
69+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
70+
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
71+
aws-region: ${{ env.AWS_REGION }}
72+
73+
- name: Setup Terraform
74+
uses: hashicorp/setup-terraform@v3
75+
76+
77+
- name: Initialize Terraform (S3 Backend)
78+
run: |
79+
terraform init
80+
81+
- name: Terraform Plan
82+
if: github.event_name == 'pull_request' || github.event_name == 'push'
83+
run: |
84+
terraform plan -no-color -input=false -out=tfplan
85+
terraform show -no-color tfplan > plan.txt
86+
87+
- name: Check Changes
88+
id: check_changes
89+
run: |
90+
if grep -q "No changes." plan.txt; then
91+
echo "has_changes=false" >> $GITHUB_OUTPUT
92+
else
93+
echo "has_changes=true" >> $GITHUB_OUTPUT
94+
fi
95+
96+
- name: Terraform Apply
97+
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
98+
run: terraform apply -auto-approve tfplan
99+
100+
101+
terraform_eks:
102+
name: "AWS EKS"
103+
runs-on: ubuntu-latest
104+
needs: terraform_infra
105+
defaults:
106+
run:
107+
working-directory: ./eks-cluster
108+
steps:
109+
- name: Checkout
110+
uses: actions/checkout@v4
111+
112+
- name: Configure AWS Credentials
113+
uses: aws-actions/configure-aws-credentials@v3
114+
with:
115+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
116+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
117+
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
118+
aws-region: ${{ env.AWS_REGION }}
119+
120+
- name: Setup Terraform
121+
uses: hashicorp/setup-terraform@v3
122+
123+
124+
- name: Terraform Init
125+
run: terraform init
126+
127+
- name: Terraform Plan
128+
if: github.event_name == 'pull_request' || github.event_name == 'push'
129+
run: |
130+
terraform plan -no-color -input=false -out=tfplan
131+
terraform show -no-color tfplan > plan.txt
132+
133+
- name: Check Changes
134+
id: check_changes
135+
run: |
136+
if grep -q "No changes." plan.txt; then
137+
echo "has_changes=false" >> $GITHUB_OUTPUT
138+
else
139+
echo "has_changes=true" >> $GITHUB_OUTPUT
140+
fi
141+
142+
- name: Terraform Apply
143+
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
144+
run: terraform apply -auto-approve tfplan
145+
146+
terraform_nap:
147+
name: "NGINX App Protect"
148+
runs-on: ubuntu-latest
149+
needs: terraform_eks
150+
defaults:
151+
run:
152+
working-directory: ./nap
153+
steps:
154+
- name: Checkout
155+
uses: actions/checkout@v4
156+
157+
- name: Configure AWS Credentials
158+
uses: aws-actions/configure-aws-credentials@v3
159+
with:
160+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
161+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
162+
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
163+
aws-region: ${{ env.AWS_REGION }}
164+
165+
- name: Setup Terraform
166+
uses: hashicorp/setup-terraform@v3
167+
168+
- name: Terraform Init
169+
run: terraform init
170+
171+
- name: Terraform Plan
172+
if: github.event_name == 'pull_request' || github.event_name == 'push'
173+
run: |
174+
terraform plan -no-color -input=false -lock=false -out=tfplan \
175+
-var="workspace_path=${{ env.WORKSPACE_PATH }}" \
176+
-var="nginx_jwt=${{ secrets.NGINX_JWT }}" \
177+
-var="nginx_pwd=none"
178+
terraform show -no-color tfplan > plan.txt
179+
env:
180+
WORKSPACE_PATH: "./nap"
181+
182+
183+
- name: Check Changes
184+
id: check_changes
185+
run: |
186+
if grep -q "No changes." plan.txt; then
187+
echo "has_changes=false" >> $GITHUB_OUTPUT
188+
else
189+
echo "has_changes=true" >> $GITHUB_OUTPUT
190+
fi
191+
192+
- name: Terraform Apply
193+
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
194+
run: terraform apply -auto-approve -lock=false tfplan
195+
196+
terraform_policy:
197+
name: "NGINX Policy"
198+
runs-on: ubuntu-latest
199+
needs: terraform_nap
200+
defaults:
201+
run:
202+
working-directory: ./policy
203+
steps:
204+
- name: Checkout
205+
uses: actions/checkout@v4
206+
207+
- name: Configure AWS Credentials
208+
uses: aws-actions/configure-aws-credentials@v3
209+
with:
210+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
211+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
212+
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
213+
aws-region: ${{ env.AWS_REGION }}
214+
215+
- name: Setup Terraform
216+
uses: hashicorp/setup-terraform@v3
217+
218+
219+
- name: Terraform Init (EKS)
220+
run: terraform init
221+
working-directory: ./eks-cluster
222+
223+
- name: Print EKS Terraform Outputs
224+
run: terraform output
225+
working-directory: ./eks-cluster
226+
227+
- name: Fetch EKS Cluster Name and Region
228+
run: |
229+
echo "EKS_CLUSTER_NAME=$(terraform output -raw cluster_name)" >> $GITHUB_ENV
230+
echo "AWS_REGION=$AWS_REGION" >> $GITHUB_ENV
231+
working-directory: ./eks-cluster
232+
233+
- name: Configure kubectl for EKS
234+
run: |
235+
aws eks update-kubeconfig --name $EKS_CLUSTER_NAME --region $AWS_REGION
236+
237+
- name: Verify kubectl connectivity
238+
run: kubectl get nodes -n nginx-ingress
239+
240+
- name: Install Docker and Docker Compose
241+
run: |
242+
sudo apt-get update -y
243+
sudo apt-get remove -y containerd containerd.io
244+
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common -y
245+
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
246+
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
247+
sudo apt-get update -y
248+
sudo apt-get install docker-ce docker-ce-cli containerd.io -y
249+
sudo service docker start
250+
sudo usermod -aG docker $USER
251+
252+
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
253+
sudo chmod +x /usr/local/bin/docker-compose
254+
255+
- name: Create Certificates Directory for Docker
256+
run: |
257+
sudo mkdir -p /etc/docker/certs.d/private-registry.nginx.com
258+
259+
- name: Create NGINX Repository Certificate for Docker
260+
run: echo "${{ secrets.NGINX_REPO_CRT }}" | sudo tee /etc/docker/certs.d/private-registry.nginx.com/client.cert > /dev/null
261+
262+
- name: Create NGINX Repository Key for Docker
263+
run: echo "${{ secrets.NGINX_REPO_KEY }}" | sudo tee /etc/docker/certs.d/private-registry.nginx.com/client.key > /dev/null
264+
265+
- name: Create Certificates Directory for NGINX
266+
run: |
267+
sudo mkdir -p /etc/ssl/nginx
268+
269+
- name: Save NGINX Repository Certificate for NGINX
270+
run: echo "${{ secrets.NGINX_REPO_CRT }}" | sudo tee /etc/ssl/nginx/nginx-repo.crt > /dev/null
271+
272+
- name: Save NGINX Repository Key for NGINX
273+
run: echo "${{ secrets.NGINX_REPO_KEY }}" | sudo tee /etc/ssl/nginx/nginx-repo.key > /dev/null
274+
275+
- name: Build Docker Image
276+
run: |
277+
docker build --no-cache \
278+
--secret id=nginx-crt,src=/etc/ssl/nginx/nginx-repo.crt \
279+
--secret id=nginx-key,src=/etc/ssl/nginx/nginx-repo.key \
280+
-t waf-compiler-5.4.0:custom .
281+
282+
- name: Ensure correct permissions for nap/charts directory
283+
run: |
284+
sudo chown -R $USER:$USER ${{ github.workspace }}
285+
sudo chmod -R 777 ${{ github.workspace }}
286+
287+
- name: Run Docker Container as Root
288+
run: |
289+
docker run --rm \
290+
-v ${{ github.workspace }}:/workspace \
291+
waf-compiler-5.4.0:custom \
292+
-p /workspace/policy/policy.json -o /workspace/policy/compiled_policy.tgz
293+
294+
- name: Fix permissions for compiled files
295+
run: |
296+
sudo chown -R $USER:$USER ${{ github.workspace }}/policy
297+
chmod 644 ${{ github.workspace }}/policy/compiled_policy.tgz
298+
ls -lh ${{ github.workspace }}/policy
299+
300+
301+
- name: Copy Compiled Policy to NGINX Ingress Controller
302+
run: |
303+
NGINX_POD=$(kubectl get pods -n nginx-ingress -l app.kubernetes.io/name=nginx-ingress -o jsonpath='{.items[0].metadata.name}')
304+
if [ -z "$NGINX_POD" ]; then
305+
echo "Error: NGINX Ingress Controller pod not found!"
306+
exit 1
307+
fi
308+
kubectl cp ${{ github.workspace }}/policy/compiled_policy.tgz $NGINX_POD:/etc/app_protect/bundles/compiled_policy.tgz -n nginx-ingress
309+
310+
- name: Terraform Init
311+
run: terraform init
312+
313+
- name: Terraform Plan
314+
run: |
315+
terraform plan -no-color -input=false -out=tfplan
316+
terraform show -no-color tfplan > plan.txt
317+
318+
- name: Check Changes
319+
id: check_changes
320+
run: |
321+
if grep -q "No changes." plan.txt; then
322+
echo "has_changes=false" >> $GITHUB_OUTPUT
323+
else
324+
echo "has_changes=true" >> $GITHUB_OUTPUT
325+
fi
326+
327+
- name: Terraform Apply
328+
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
329+
run: terraform apply -auto-approve tfplan
330+
331+
terraform_arcadia:
332+
name: "Arcadia WebApp"
333+
runs-on: ubuntu-latest
334+
needs: terraform_policy
335+
defaults:
336+
run:
337+
working-directory: ./arcadia
338+
steps:
339+
- name: Checkout
340+
uses: actions/checkout@v4
341+
342+
- name: Configure AWS Credentials
343+
uses: aws-actions/configure-aws-credentials@v3
344+
with:
345+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
346+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
347+
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
348+
aws-region: ${{ env.AWS_REGION }}
349+
350+
- name: Setup Terraform
351+
uses: hashicorp/setup-terraform@v3
352+
353+
- name: Terraform Init
354+
run: terraform init
355+
356+
- name: Terraform Validate
357+
run: terraform validate -no-color
358+
359+
- name: Terraform Plan
360+
if: github.event_name == 'pull_request' || github.event_name == 'push'
361+
run: |
362+
terraform plan -no-color -input=false -out=tfplan
363+
terraform show -no-color tfplan > plan.txt
364+
365+
- name: Check Changes
366+
id: check_changes
367+
run: |
368+
if grep -q "No changes." plan.txt; then
369+
echo "has_changes=false" >> $GITHUB_OUTPUT
370+
else
371+
echo "has_changes=true" >> $GITHUB_OUTPUT
372+
fi
373+
374+
- name: Terraform Apply
375+
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
376+
run: terraform apply -auto-approve tfplan

0 commit comments

Comments
 (0)