Merge branch 'main' into f5-style-installation

nginx · Jul 31, 2024 · 1b15995 · 1b15995
2 parents 6272398 + dc79e1e
commit 1b15995
Show file tree

Hide file tree

Showing 9 changed files with 78 additions and 2 deletions.
diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json
@@ -55,6 +55,14 @@
       "nap_modules": "dos",
       "marker": "dos_learning",
       "platforms": "linux/amd64"
+    },
+    {
+      "label": "AGENT 1/1",
+      "image": "debian-plus-nap",
+      "type": "plus",
+      "nap_modules": "waf",
+      "marker": "agent",
+      "platforms": "linux/amd64"
     }
   ],
   "k8s": []

diff --git a/.github/scripts/create-release-tarballs.sh b/.github/scripts/create-release-tarballs.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -ex
+set -e
 
 directory=$1
 version=$2

diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
@@ -213,6 +213,8 @@ jobs:
         run: |
           [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}"
           echo "modules=${modules}" >> $GITHUB_OUTPUT
+          [[ "${{ matrix.nap_modules }}" =~ waf ]] && agent="true" || agent="false"
+          echo "agent=${agent}" >> $GITHUB_OUTPUT
         if: ${{ matrix.nap_modules != '' }}
 
       - name: Docker meta
@@ -242,6 +244,7 @@ jobs:
             BUILD_OS=${{ matrix.image }}
             IC_VERSION=${{ needs.checks.outputs.ic_version }}
             NAP_MODULES=${{ matrix.nap_modules }}
+            ${{ contains(matrix.nap_modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }}
           secrets: |
             "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}"
             "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}"

diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
@@ -80,9 +80,11 @@ jobs:
         id: nap_modules
         run: |
           [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ inputs.nap-modules }}"
+          echo "name=${name}" >> $GITHUB_OUTPUT
           [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="both" || modules="${{ inputs.nap-modules }}"
           echo "modules=${modules}" >> $GITHUB_OUTPUT
-          echo "name=${name}" >> $GITHUB_OUTPUT
+          [[ "${{ inputs.nap-modules }}" =~ waf ]] && agent="true" || agent="false"
+          echo "agent=${agent}" >> $GITHUB_OUTPUT
         if: ${{ inputs.nap-modules != '' }}
 
       - name: Docker meta
@@ -143,6 +145,7 @@ jobs:
             BUILD_OS=${{ inputs.image }}
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
             ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
+            ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }}
           secrets: |
             "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
             "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
@@ -187,6 +190,7 @@ jobs:
             ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_name.outputs.image ) }}
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
             ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
+            ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }}
             ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
             ${{ contains(inputs.image, 'v5') && 'WAF_VERSION=v5' || '' }}
           secrets: |

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -705,4 +705,5 @@ jobs:
       security-events: write
       pull-requests: write # for scout report
     uses: ./.github/workflows/image-promotion.yml
+    secrets: inherit
     if: ${{ inputs.force && inputs.force || false }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -372,6 +372,12 @@ jobs:
         with:
           ref: ${{ inputs.release_branch }}
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }}
+
       - name: Publish to AWS Marketplace
         uses: nginxinc/aws-marketplace-publish@9f178512e8e7658fe4aab73d1dac15f3f86fb7b4 # v1.0.4
         continue-on-error: true

diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
@@ -88,6 +88,8 @@ jobs:
         run: |
           [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ inputs.nap-modules }}"
           echo "modules=${modules}" >> $GITHUB_OUTPUT
+          [[ "${{ inputs.nap-modules }}" =~ waf ]] && agent="true" || agent="false"
+          echo "agent=${agent}" >> $GITHUB_OUTPUT
         if: ${{ inputs.nap-modules }}
 
       - name: Pull build image
@@ -137,6 +139,7 @@ jobs:
             BUILD_OS=${{ inputs.image }}
             IC_VERSION=CI
             ${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
+            ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }}
             ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
           secrets: |
             ${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }}

diff --git a/pyproject.toml b/pyproject.toml
@@ -23,6 +23,7 @@ pythonpath = [
 addopts = "--tb=native -ra --disable-warnings -x -l --profile -v --strict-markers"
 log_cli = true
 markers =[
+    "agent",
     "annotations",
     "appprotect",
     "appprotect_integration",

diff --git a/tests/suite/utils/test_agent_app_protect.py b/tests/suite/utils/test_agent_app_protect.py
@@ -0,0 +1,50 @@
+import pytest
+from kubernetes.stream import stream
+from suite.utils.resources_utils import get_first_pod_name, wait_before_test
+
+
+@pytest.mark.skip_for_nginx_oss
+@pytest.mark.agent
+@pytest.mark.parametrize(
+    "crd_ingress_controller_with_ap",
+    [
+        {
+            "extra_args": [
+                "-enable-app-protect",
+                "-agent=true",
+                "-agent-instance-group=test-ic",
+            ]
+        }
+    ],
+    indirect=["crd_ingress_controller_with_ap"],
+)
+class TestAppProtectAgent:
+    def test_ap_agent(self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap):
+        pod_name = get_first_pod_name(kube_apis.v1, "nginx-ingress")
+        log = kube_apis.v1.read_namespaced_pod_log(pod_name, ingress_controller_prerequisites.namespace)
+
+        command = ["/usr/bin/nginx-agent", "-v"]
+        retries = 0
+        while retries <= 3:
+            wait_before_test()
+            try:
+                resp = stream(
+                    kube_apis.v1.connect_get_namespaced_pod_exec,
+                    pod_name,
+                    ingress_controller_prerequisites.namespace,
+                    command=command,
+                    stderr=True,
+                    stdin=False,
+                    stdout=True,
+                    tty=False,
+                )
+                break
+            except Exception as e:
+                print(f"Error: {e}")
+                retries += 1
+                if retries == 3:
+                    raise e
+        result_conf = str(resp)
+
+        assert f"Failed to get nginx-agent version: fork/exec /usr/bin/nginx-agent" not in log
+        assert "nginx-agent version " in result_conf