Remove secrets encoding

.github/workflows/release.yml

@@ -154,24 +154,6 @@ jobs:
  with:
  path: ${{ github.workspace }}/nginx-ingress
  key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
- - name: Fetch N+ Certificates
- env:
- CRT: ${{ secrets.NGINX_CRT }}
- KEY: ${{ secrets.NGINX_KEY }}
- run: |
- echo "${CRT}" | base64 --decode > nginx-repo.crt
- echo "${KEY}" | base64 --decode > nginx-repo.key
- if: matrix.type == 'plus'
- - name: Fetch N+ AppProtect Certificates
- env:
- CRT: ${{ secrets.NGINX_AP_CRT }}
- KEY: ${{ secrets.NGINX_AP_KEY }}
- RHEL_LICENSE: ${{ secrets.RHEL_LICENSE }}
- run: |
- echo "${CRT}" | base64 --decode > nginx-repo.crt
- echo "${KEY}" | base64 --decode > nginx-repo.key
- echo "${RHEL_LICENSE}" | base64 --decode > rhel_license
- if: matrix.type == 'plus-ap' || matrix.type == 'plus-ap-openshift'
  - name: Docker Buildx
  uses: docker/setup-buildx-action@v1
  with:
@@ -203,8 +185,8 @@ jobs:
  target: ${{ matrix.target }}
  tags: ${{ env.DOCKER_IMAGE }}:${{ needs.binary.outputs.version }}
  secrets: |
- nginx-repo.crt=${{ secrets.NGINX_CRT }}
- nginx-repo.key=${{ secrets.NGINX_KEY }}
+ "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+ "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
  if: matrix.type == 'plus'
  - name: Build AP Docker Image ${{ matrix.image }}
  uses: docker/build-push-action@v2
@@ -216,9 +198,9 @@ jobs:
  target: ${{ matrix.target }}
  tags: ${{ env.DOCKER_IMAGE }}:${{ needs.binary.outputs.version }}
  secrets: |
- nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}
- nginx-repo.key=${{ secrets.NGINX_AP_KEY }}
- rhel_license=${{ secrets.RHEL_LICENSE }}
+ "nginx-repo.crt=${{ secrets.KIC_NGINX_AP_CRT }}"
+ "nginx-repo.key=${{ secrets.KIC_NGINX_AP_KEY }}"
+ "rhel_license=${{ secrets.KIC_RHEL_LICENSE }}"
  if: matrix.type == 'plus-ap' || matrix.type == 'plus-ap-openshift'
 
  smoke-tests:
@@ -344,22 +326,6 @@ jobs:
  with:
  path: ${{ github.workspace }}/nginx-ingress
  key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
- - name: Fetch N+ Certificates
- env:
- CRT: ${{ secrets.NGINX_CRT }}
- KEY: ${{ secrets.NGINX_KEY }}
- run: |
- echo "${CRT}" | base64 --decode > nginx-repo.crt
- echo "${KEY}" | base64 --decode > nginx-repo.key
- if: matrix.type == 'plus'
- - name: Fetch N+ AppProtect Certificates
- env:
- CRT: ${{ secrets.NGINX_AP_CRT }}
- KEY: ${{ secrets.NGINX_AP_KEY }}
- run: |
- echo "${CRT}" | base64 --decode > nginx-repo.crt
- echo "${KEY}" | base64 --decode > nginx-repo.key
- if: matrix.type == 'plus-ap'
  - name: Docker Buildx
  uses: docker/setup-buildx-action@v1
  with:
@@ -393,8 +359,8 @@ jobs:
  tags: ${{ matrix.image }}:${{ matrix.tag }}
  load: true
  secrets: |
- nginx-repo.crt=${{ secrets.NGINX_CRT }}
- nginx-repo.key=${{ secrets.NGINX_KEY }}
+ "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+ "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
  if: matrix.type == 'plus'
  - name: Build AP Docker Image ${{ matrix.image }}
  uses: docker/build-push-action@v2
@@ -407,8 +373,8 @@ jobs:
  tags: ${{ matrix.image }}:${{ matrix.tag }}
  load: true
  secrets: |
- nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}
- nginx-repo.key=${{ secrets.NGINX_AP_KEY }}
+ "nginx-repo.crt=${{ secrets.KIC_NGINX_AP_CRT }}"
+ "nginx-repo.key=${{ secrets.KIC_NGINX_AP_KEY }}"
  if: matrix.type == 'plus-ap'
  - name: Build Test-Runner Container
  uses: docker/build-push-action@v2
@@ -468,8 +434,8 @@ jobs:
  name: Helm Tests
  runs-on: ${{ matrix.os }}
  needs: [build, binary, unit-tests]
- if: 
- github.event_name == 'push' && contains(github.ref, 'release') || 
+ if:
+ github.event_name == 'push' && contains(github.ref, 'release') ||
  github.event_name == 'schedule'
  env:
  NGINX_HTTP_PORT: 8080
@@ -498,14 +464,6 @@ jobs:
  with:
  path: ${{ github.workspace }}/nginx-ingress
  key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
- - name: Fetch N+ Certificates
- env:
- CRT: ${{ secrets.NGINX_CRT }}
- KEY: ${{ secrets.NGINX_KEY }}
- run: |
- echo "${CRT}" | base64 --decode > nginx-repo.crt
- echo "${KEY}" | base64 --decode > nginx-repo.key
- if: matrix.type == 'plus'
  - name: Docker Buildx
  uses: docker/setup-buildx-action@v1
  with:
@@ -528,8 +486,8 @@ jobs:
  tags: ${{ matrix.image }}:${{ matrix.tag }}
  load: true
  secrets: |
- nginx-repo.crt=${{ secrets.NGINX_CRT }}
- nginx-repo.key=${{ secrets.NGINX_KEY }}
+ "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+ "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
  - name: Deploy Kubernetes
  id: k8s
  run: |
@@ -617,7 +575,7 @@ jobs:
  restore-keys: |
  ${{ runner.os }}-buildx-
  - name: DockerHub Login
- uses: docker/login-action@v1 
+ uses: docker/login-action@v1
  with:
  username: ${{ secrets.DOCKER_USERNAME }}
  password: ${{ secrets.DOCKER_PASSWORD }}
@@ -696,8 +654,8 @@ jobs:
  tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ matrix.tags }}
  push: true
  secrets: |
- nginx-repo.crt=${{ secrets.NGINX_CRT }}
- nginx-repo.key=${{ secrets.NGINX_KEY }}
+ "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+ "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
  if: matrix.image == 'nginx-plus-ingress'
  - name: Push Plus AP to GCR
  uses: docker/build-push-action@v2
@@ -710,19 +668,19 @@ jobs:
  tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ matrix.tags }}
  push: true
  secrets: |
- nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}
- nginx-repo.key=${{ secrets.NGINX_AP_KEY }}
- rhel_license=${{ secrets.RHEL_LICENSE }}
+ "nginx-repo.crt=${{ secrets.KIC_NGINX_AP_CRT }}"
+ "nginx-repo.key=${{ secrets.KIC_NGINX_AP_KEY }}"
+ "rhel_license=${{ secrets.KIC_RHEL_LICENSE }}"
  if: matrix.image == 'nginx-plus-ingress-ap'
- 
+
  release-plus-docker:
  name: Release Plus Images
  runs-on: ubuntu-18.04
  needs: [build, binary, unit-tests, publish-plus-docker]
  if: github.event_name == 'create' && contains(github.ref, 'refs/tags/')
  steps:
  - name: GCR Login
- uses: docker/login-action@v1 
+ uses: docker/login-action@v1
  with:
  registry: gcr.io
  username: _json_key

Makefile

@@ -22,6 +22,7 @@ lint:
 
 test:
 ifneq ($(BUILD_IN_CONTAINER),1)
+ @go version || (code=$$?; printf "\033[0;31mError\033[0m: unable to build locally, try using the parameter BUILD_IN_CONTAINER=1\n"; exit $$code)
  GO111MODULE=on GOFLAGS='$(GOFLAGS)' go test ./...
 endif
 
@@ -50,16 +51,16 @@ ifneq ($(BUILD_IN_CONTAINER),1)
  CGO_ENABLED=0 GO111MODULE=on GOFLAGS='$(GOFLAGS)' GOOS=linux go build -installsuffix cgo -ldflags "-w -X main.version=${VERSION} -X main.gitCommit=${GIT_COMMIT}" -o nginx-ingress github.com/nginxinc/kubernetes-ingress/cmd/nginx-ingress
 endif
 
-prepare-license-secrets:
-ifneq (,$$(findstring PlusForOpenShift,$$(DOCKERFILE)))
- mkdir -p tempdir && base64 nginx-repo.crt > tempdir/nginx-repo.crt && base64 nginx-repo.key > tempdir/nginx-repo.key && base64 rhel_license > tempdir/rhel_license
-override DOCKER_BUILD_OPTIONS += --secret id=nginx-repo.crt,src=tempdir/nginx-repo.crt --secret id=nginx-repo.key,src=tempdir/nginx-repo.key --secret id=rhel_license,src=tempdir/rhel_license
-else ifneq (,$$(findstring Plus,$$(DOCKERFILE)))
- mkdir -p tempdir && base64 nginx-repo.crt > tempdir/nginx-repo.crt && base64 nginx-repo.key > tempdir/nginx-repo.key
-override DOCKER_BUILD_OPTIONS += --secret id=nginx-repo.crt,src=tempdir/nginx-repo.crt --secret id=nginx-repo.key,src=tempdir/nginx-repo.key
+prepare-options-secrets:
+ifneq (,$(findstring Plus,$(DOCKERFILE)))
+override DOCKER_BUILD_OPTIONS += --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key
+endif
+ifneq (,$(findstring PlusForOpenShift,$(DOCKERFILE)))
+override DOCKER_BUILD_OPTIONS += --secret id=rhel_license,src=rhel_license
 endif
 
-container: test verify-codegen update-crds binary certificate-and-key prepare-license-secrets
+container: test verify-codegen update-crds binary certificate-and-key prepare-options-secrets
+ @docker -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with Docker\n"; exit $$code)
 ifeq ($(BUILD_IN_CONTAINER),1)
  docker build $(DOCKER_BUILD_OPTIONS) --build-arg IC_VERSION=$(VERSION)-$(GIT_COMMIT) --build-arg GIT_COMMIT=$(GIT_COMMIT) --build-arg VERSION=$(VERSION) --build-arg GOLANG_CONTAINER=$(GOLANG_CONTAINER) --target container -f $(DOCKERFILEPATH)/$(DOCKERFILE) -t $(PREFIX):$(TAG) .
 else
@@ -75,4 +76,3 @@ endif
 
 clean:
  rm -f nginx-ingress
- rm -rf tempdir

build/DockerfileForPlus

@@ -11,11 +11,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
- --mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
  set -x \
- && mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
- && base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
  && apt-get update \
  && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin \
  && \
@@ -42,7 +40,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
  'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
  && apt-get remove --purge --auto-remove -y gnupg1 \
  && rm -rf /var/lib/apt/lists/* \
- && rm -rf /etc/ssl/nginx \
  && rm /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list
 
 

build/DockerfileWithOpentracingForPlus

@@ -21,11 +21,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
- --mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
  set -x \
- && mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
- && base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
  && apt-get update \
  && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin \
  && \
@@ -55,7 +53,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
  'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
  && apt-get remove --purge --auto-remove -y gnupg1 \
  && rm -rf /var/lib/apt/lists/* \
- && rm -rf /etc/ssl/nginx \
  && rm /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list
 
 

build/appprotect/DockerfileWithAppProtectForPlus

@@ -18,11 +18,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
- --mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
  set -x \
- && mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
- && base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
  && apt-get update \
  && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin wget \
  && \
@@ -62,7 +60,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
  'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
  && apt-get remove --purge --auto-remove -y gnupg1 wget\
  && rm -rf /var/lib/apt/lists/* \
- && rm -rf /etc/ssl/nginx \
  && rm /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list \
  && rm /etc/apt/apt.conf.d/90app-protect-sigs /etc/apt/sources.list.d/app-protect-sigs.list
 

build/appprotect/DockerfileWithAppProtectForPlusForOpenShift

@@ -21,13 +21,10 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
- --mount=type=secret,id=nginx-repo.key \
- --mount=type=secret,id=rhel_license \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+ --mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \
  set -x \
- && mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
- && base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
- && base64 --decode /run/secrets/rhel_license > /tmp/rhel_license \
  && groupadd --system --gid 101 nginx \
  && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
  && source /tmp/rhel_license \
@@ -63,7 +60,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
  && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
  'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
  && yum remove -y wget \
- && rm -rf /etc/ssl/nginx \
  && rm /etc/yum.repos.d/nginx-plus-7.repo \
  && rm nginx_signing.key /tmp/rhel_license
 
@@ -105,7 +101,7 @@ RUN printf "MODULE = ALL;\nLOG_LEVEL = TS_CRIT;\nFILE = 2;\n" > /etc/app_protect
  ; do sed -i "/\[$v/a log_level=fatal" "/etc/app_protect/tools/asm_logging.conf" \
  ; done
 
-COPY --chown=nginx:0 build/appprotect/log-default.json /etc/nginx 
+COPY --chown=nginx:0 build/appprotect/log-default.json /etc/nginx
 
 EXPOSE 80 443
 

build/openshift/DockerfileForPlus

@@ -15,11 +15,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
- --mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
  set -x \
- && mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
- && base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
  && groupadd --system --gid 101 nginx \
  && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
  && yum install -y wget \
@@ -47,7 +45,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
  && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
  'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
  && yum remove -y wget \
- && rm -rf /etc/ssl/nginx \
  && rm /etc/yum.repos.d/nginx-plus-8.repo \
  && rm nginx_signing.key