From f6746242ca6ef48c19cd2daf5d9f7689c6faff48 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:11:59 +0100 Subject: [PATCH 1/4] ensure nginx-agent is installed on WAF images (#6107) --- .github/workflows/build-base-images.yml | 3 +++ .github/workflows/build-plus.yml | 6 +++++- .github/workflows/setup-smoke.yml | 3 +++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index a97886021f..11e2be34de 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -213,6 +213,8 @@ jobs: run: | [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT + [[ "${{ matrix.nap_modules }}" =~ waf ]] && agent="true" || agent="false" + echo "agent=${agent}" >> $GITHUB_OUTPUT if: ${{ matrix.nap_modules != '' }} - name: Docker meta @@ -242,6 +244,7 @@ jobs: BUILD_OS=${{ matrix.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} NAP_MODULES=${{ matrix.nap_modules }} + ${{ contains(matrix.nap_modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} secrets: | "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}" "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}" diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 6af6ee2348..6908d835db 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -80,9 +80,11 @@ jobs: id: nap_modules run: | [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ inputs.nap-modules }}" + echo "name=${name}" >> $GITHUB_OUTPUT [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="both" || modules="${{ inputs.nap-modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT - echo "name=${name}" >> $GITHUB_OUTPUT + [[ "${{ inputs.nap-modules }}" =~ waf ]] && agent="true" || agent="false" + echo "agent=${agent}" >> $GITHUB_OUTPUT if: ${{ inputs.nap-modules != '' }} - name: Docker meta @@ -143,6 +145,7 @@ jobs: BUILD_OS=${{ inputs.image }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} + ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} secrets: | "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" @@ -187,6 +190,7 @@ jobs: ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_name.outputs.image ) }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} + ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} ${{ contains(inputs.image, 'v5') && 'WAF_VERSION=v5' || '' }} secrets: | diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 0c8e345806..6b89180923 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -88,6 +88,8 @@ jobs: run: | [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ inputs.nap-modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT + [[ "${{ inputs.nap-modules }}" =~ waf ]] && agent="true" || agent="false" + echo "agent=${agent}" >> $GITHUB_OUTPUT if: ${{ inputs.nap-modules }} - name: Pull build image @@ -137,6 +139,7 @@ jobs: BUILD_OS=${{ inputs.image }} IC_VERSION=CI ${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} + ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} secrets: | ${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} From 26777a238666329ddff09258d9af4e0f1ac2f3d2 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:43:23 +0100 Subject: [PATCH 2/4] add AWS login to marketplace publish (#6100) --- .github/scripts/create-release-tarballs.sh | 2 +- .github/workflows/release.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/scripts/create-release-tarballs.sh b/.github/scripts/create-release-tarballs.sh index 11dd8b6581..4954c4dfe5 100755 --- a/.github/scripts/create-release-tarballs.sh +++ b/.github/scripts/create-release-tarballs.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -set -ex +set -e directory=$1 version=$2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d4e7e40f8e..0a8fa9069e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -372,6 +372,12 @@ jobs: with: ref: ${{ inputs.release_branch }} + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + aws-region: us-east-1 + role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} + - name: Publish to AWS Marketplace uses: nginxinc/aws-marketplace-publish@9f178512e8e7658fe4aab73d1dac15f3f86fb7b4 # v1.0.4 continue-on-error: true From 594da3db71daf325de34fccccab9ae81280cc14e Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:05:55 +0100 Subject: [PATCH 3/4] inherit secrets on force image promotion call (#6110) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50c4be1c9e..7e72027ea4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -705,4 +705,5 @@ jobs: security-events: write pull-requests: write # for scout report uses: ./.github/workflows/image-promotion.yml + secrets: inherit if: ${{ inputs.force && inputs.force || false }} From dc79e1ed7b6a052b19df79b0f0fec0364b18f4fd Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Wed, 31 Jul 2024 15:11:42 +0100 Subject: [PATCH 4/4] Add test to check for agent (#6111) --- .github/data/matrix-smoke-nap.json | 8 ++++ pyproject.toml | 1 + tests/suite/utils/test_agent_app_protect.py | 50 +++++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 tests/suite/utils/test_agent_app_protect.py diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index f4b2b34064..b0726135d9 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -55,6 +55,14 @@ "nap_modules": "dos", "marker": "dos_learning", "platforms": "linux/amd64" + }, + { + "label": "AGENT 1/1", + "image": "debian-plus-nap", + "type": "plus", + "nap_modules": "waf", + "marker": "agent", + "platforms": "linux/amd64" } ], "k8s": [] diff --git a/pyproject.toml b/pyproject.toml index 35c2f54aba..0b3de53574 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,6 +23,7 @@ pythonpath = [ addopts = "--tb=native -ra --disable-warnings -x -l --profile -v --strict-markers" log_cli = true markers =[ + "agent", "annotations", "appprotect", "appprotect_integration", diff --git a/tests/suite/utils/test_agent_app_protect.py b/tests/suite/utils/test_agent_app_protect.py new file mode 100644 index 0000000000..ab881b90c2 --- /dev/null +++ b/tests/suite/utils/test_agent_app_protect.py @@ -0,0 +1,50 @@ +import pytest +from kubernetes.stream import stream +from suite.utils.resources_utils import get_first_pod_name, wait_before_test + + +@pytest.mark.skip_for_nginx_oss +@pytest.mark.agent +@pytest.mark.parametrize( + "crd_ingress_controller_with_ap", + [ + { + "extra_args": [ + "-enable-app-protect", + "-agent=true", + "-agent-instance-group=test-ic", + ] + } + ], + indirect=["crd_ingress_controller_with_ap"], +) +class TestAppProtectAgent: + def test_ap_agent(self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller_with_ap): + pod_name = get_first_pod_name(kube_apis.v1, "nginx-ingress") + log = kube_apis.v1.read_namespaced_pod_log(pod_name, ingress_controller_prerequisites.namespace) + + command = ["/usr/bin/nginx-agent", "-v"] + retries = 0 + while retries <= 3: + wait_before_test() + try: + resp = stream( + kube_apis.v1.connect_get_namespaced_pod_exec, + pod_name, + ingress_controller_prerequisites.namespace, + command=command, + stderr=True, + stdin=False, + stdout=True, + tty=False, + ) + break + except Exception as e: + print(f"Error: {e}") + retries += 1 + if retries == 3: + raise e + result_conf = str(resp) + + assert f"Failed to get nginx-agent version: fork/exec /usr/bin/nginx-agent" not in log + assert "nginx-agent version " in result_conf