Skip to content

merge ngnx #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Mar 25, 2025
Merged

merge ngnx #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e5f27ae
Update README.md
akananth Mar 25, 2025
6d381f7
Update README.md
akananth Mar 25, 2025
dd50304
Update README.md
akananth Mar 25, 2025
037e8b0
demo
akashdan90 Mar 25, 2025
b9bacd6
demo
akashdan90 Mar 25, 2025
d135318
commit
akashdan90 Mar 25, 2025
4d0270f
Create apply-napv5.yml
akananth Mar 25, 2025
3c1efc2
Create destroy-nic-nap.yml
akananth Mar 25, 2025
7be318b
Merge branch 'f5devcentral:main' into main
akananth Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
376 changes: 376 additions & 0 deletions .github/workflows/apply-napv5.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,376 @@
name: "NGINX NAP/NIC-V5 Deployment"
on:
push:
branches: [apply-nap]
env:
AWS_REGION: us-east-1
jobs:
bootstrap_infra:
name: "Bootstrap S3/DynamoDB"
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./s3
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
aws-region: ${{ env.AWS_REGION }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v3

- name: Initialize Terraform (S3 Backend)
run: |
terraform init

- name: Terraform Plan
run: terraform plan -no-color -input=false -out=tfplan

- name: Check for Changes
id: check_changes
run: |
if grep -q "No changes." <(terraform show -no-color tfplan); then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi

- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
run: terraform apply -auto-approve tfplan



terraform_infra:
name: "AWS Infra"
runs-on: ubuntu-latest
needs: bootstrap_infra
permissions:
contents: read
defaults:
run:
working-directory: ./infra

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
aws-region: ${{ env.AWS_REGION }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v3


- name: Initialize Terraform (S3 Backend)
run: |
terraform init

- name: Terraform Plan
if: github.event_name == 'pull_request' || github.event_name == 'push'
run: |
terraform plan -no-color -input=false -out=tfplan
terraform show -no-color tfplan > plan.txt

- name: Check Changes
id: check_changes
run: |
if grep -q "No changes." plan.txt; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi

- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
run: terraform apply -auto-approve tfplan


terraform_eks:
name: "AWS EKS"
runs-on: ubuntu-latest
needs: terraform_infra
defaults:
run:
working-directory: ./eks-cluster
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
aws-region: ${{ env.AWS_REGION }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v3


- name: Terraform Init
run: terraform init

- name: Terraform Plan
if: github.event_name == 'pull_request' || github.event_name == 'push'
run: |
terraform plan -no-color -input=false -out=tfplan
terraform show -no-color tfplan > plan.txt

- name: Check Changes
id: check_changes
run: |
if grep -q "No changes." plan.txt; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi

- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
run: terraform apply -auto-approve tfplan

terraform_nap:
name: "NGINX App Protect"
runs-on: ubuntu-latest
needs: terraform_eks
defaults:
run:
working-directory: ./nap
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
aws-region: ${{ env.AWS_REGION }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v3

- name: Terraform Init
run: terraform init

- name: Terraform Plan
if: github.event_name == 'pull_request' || github.event_name == 'push'
run: |
terraform plan -no-color -input=false -lock=false -out=tfplan \
-var="workspace_path=${{ env.WORKSPACE_PATH }}" \
-var="nginx_jwt=${{ secrets.NGINX_JWT }}" \
-var="nginx_pwd=none"
terraform show -no-color tfplan > plan.txt
env:
WORKSPACE_PATH: "./nap"


- name: Check Changes
id: check_changes
run: |
if grep -q "No changes." plan.txt; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi

- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
run: terraform apply -auto-approve -lock=false tfplan

terraform_policy:
name: "NGINX Policy"
runs-on: ubuntu-latest
needs: terraform_nap
defaults:
run:
working-directory: ./policy
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
aws-region: ${{ env.AWS_REGION }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v3


- name: Terraform Init (EKS)
run: terraform init
working-directory: ./eks-cluster

- name: Print EKS Terraform Outputs
run: terraform output
working-directory: ./eks-cluster

- name: Fetch EKS Cluster Name and Region
run: |
echo "EKS_CLUSTER_NAME=$(terraform output -raw cluster_name)" >> $GITHUB_ENV
echo "AWS_REGION=$AWS_REGION" >> $GITHUB_ENV
working-directory: ./eks-cluster

- name: Configure kubectl for EKS
run: |
aws eks update-kubeconfig --name $EKS_CLUSTER_NAME --region $AWS_REGION

- name: Verify kubectl connectivity
run: kubectl get nodes -n nginx-ingress

- name: Install Docker and Docker Compose
run: |
sudo apt-get update -y
sudo apt-get remove -y containerd containerd.io
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update -y
sudo apt-get install docker-ce docker-ce-cli containerd.io -y
sudo service docker start
sudo usermod -aG docker $USER

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

- name: Create Certificates Directory for Docker
run: |
sudo mkdir -p /etc/docker/certs.d/private-registry.nginx.com

- name: Create NGINX Repository Certificate for Docker
run: echo "${{ secrets.NGINX_REPO_CRT }}" | sudo tee /etc/docker/certs.d/private-registry.nginx.com/client.cert > /dev/null

- name: Create NGINX Repository Key for Docker
run: echo "${{ secrets.NGINX_REPO_KEY }}" | sudo tee /etc/docker/certs.d/private-registry.nginx.com/client.key > /dev/null

- name: Create Certificates Directory for NGINX
run: |
sudo mkdir -p /etc/ssl/nginx

- name: Save NGINX Repository Certificate for NGINX
run: echo "${{ secrets.NGINX_REPO_CRT }}" | sudo tee /etc/ssl/nginx/nginx-repo.crt > /dev/null

- name: Save NGINX Repository Key for NGINX
run: echo "${{ secrets.NGINX_REPO_KEY }}" | sudo tee /etc/ssl/nginx/nginx-repo.key > /dev/null

- name: Build Docker Image
run: |
docker build --no-cache \
--secret id=nginx-crt,src=/etc/ssl/nginx/nginx-repo.crt \
--secret id=nginx-key,src=/etc/ssl/nginx/nginx-repo.key \
-t waf-compiler-5.4.0:custom .

- name: Ensure correct permissions for nap/charts directory
run: |
sudo chown -R $USER:$USER ${{ github.workspace }}
sudo chmod -R 777 ${{ github.workspace }}

- name: Run Docker Container as Root
run: |
docker run --rm \
-v ${{ github.workspace }}:/workspace \
waf-compiler-5.4.0:custom \
-p /workspace/policy/policy.json -o /workspace/policy/compiled_policy.tgz

- name: Fix permissions for compiled files
run: |
sudo chown -R $USER:$USER ${{ github.workspace }}/policy
chmod 644 ${{ github.workspace }}/policy/compiled_policy.tgz
ls -lh ${{ github.workspace }}/policy


- name: Copy Compiled Policy to NGINX Ingress Controller
run: |
NGINX_POD=$(kubectl get pods -n nginx-ingress -l app.kubernetes.io/name=nginx-ingress -o jsonpath='{.items[0].metadata.name}')
if [ -z "$NGINX_POD" ]; then
echo "Error: NGINX Ingress Controller pod not found!"
exit 1
fi
kubectl cp ${{ github.workspace }}/policy/compiled_policy.tgz $NGINX_POD:/etc/app_protect/bundles/compiled_policy.tgz -n nginx-ingress

- name: Terraform Init
run: terraform init

- name: Terraform Plan
run: |
terraform plan -no-color -input=false -out=tfplan
terraform show -no-color tfplan > plan.txt

- name: Check Changes
id: check_changes
run: |
if grep -q "No changes." plan.txt; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi

- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
run: terraform apply -auto-approve tfplan

terraform_arcadia:
name: "Arcadia WebApp"
runs-on: ubuntu-latest
needs: terraform_policy
defaults:
run:
working-directory: ./arcadia
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
aws-region: ${{ env.AWS_REGION }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v3

- name: Terraform Init
run: terraform init

- name: Terraform Validate
run: terraform validate -no-color

- name: Terraform Plan
if: github.event_name == 'pull_request' || github.event_name == 'push'
run: |
terraform plan -no-color -input=false -out=tfplan
terraform show -no-color tfplan > plan.txt

- name: Check Changes
id: check_changes
run: |
if grep -q "No changes." plan.txt; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi

- name: Terraform Apply
if: github.event_name == 'push' && github.ref == 'refs/heads/apply-nap' && steps.check_changes.outputs.has_changes == 'true'
run: terraform apply -auto-approve tfplan
Loading
Loading