Remove secrets encoding (#1439)

.github/workflows/release.yml

@@ -154,24 +154,6 @@ jobs:
         with:
           path: ${{ github.workspace }}/nginx-ingress
           key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
-      - name: Fetch N+ Certificates
-        env:
-          CRT: ${{ secrets.NGINX_CRT }}
-          KEY: ${{ secrets.NGINX_KEY }}
-        run: |
-          echo "${CRT}" | base64 --decode > nginx-repo.crt
-          echo "${KEY}" | base64 --decode > nginx-repo.key
-        if: matrix.type == 'plus'
-      - name: Fetch N+ AppProtect Certificates
-        env:
-          CRT: ${{ secrets.NGINX_AP_CRT }}
-          KEY: ${{ secrets.NGINX_AP_KEY }}
-          RHEL_LICENSE: ${{ secrets.RHEL_LICENSE }}
-        run: |
-          echo "${CRT}" | base64 --decode > nginx-repo.crt
-          echo "${KEY}" | base64 --decode > nginx-repo.key
-          echo "${RHEL_LICENSE}" | base64 --decode > rhel_license
-        if: matrix.type == 'plus-ap' || matrix.type == 'plus-ap-openshift'
       - name: Docker Buildx
         uses: docker/setup-buildx-action@v1
         with:
@@ -203,8 +185,8 @@ jobs:
           target: ${{ matrix.target }}
           tags: ${{ env.DOCKER_IMAGE }}:${{ needs.binary.outputs.version }}
           secrets: |
-            nginx-repo.crt=${{ secrets.NGINX_CRT }}
-            nginx-repo.key=${{ secrets.NGINX_KEY }}
+            "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+            "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
         if: matrix.type == 'plus'
       - name: Build AP Docker Image ${{ matrix.image }}
         uses: docker/build-push-action@v2
@@ -216,9 +198,9 @@ jobs:
           target: ${{ matrix.target }}
           tags: ${{ env.DOCKER_IMAGE }}:${{ needs.binary.outputs.version }}
           secrets: |
-            nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}
-            nginx-repo.key=${{ secrets.NGINX_AP_KEY }}
-            rhel_license=${{ secrets.RHEL_LICENSE }}
+            "nginx-repo.crt=${{ secrets.KIC_NGINX_AP_CRT }}"
+            "nginx-repo.key=${{ secrets.KIC_NGINX_AP_KEY }}"
+            "rhel_license=${{ secrets.KIC_RHEL_LICENSE }}"
         if: matrix.type == 'plus-ap' || matrix.type == 'plus-ap-openshift'
 
   smoke-tests:
@@ -344,22 +326,6 @@ jobs:
         with:
           path: ${{ github.workspace }}/nginx-ingress
           key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
-      - name: Fetch N+ Certificates
-        env:
-          CRT: ${{ secrets.NGINX_CRT }}
-          KEY: ${{ secrets.NGINX_KEY }}
-        run: |
-          echo "${CRT}" | base64 --decode > nginx-repo.crt
-          echo "${KEY}" | base64 --decode > nginx-repo.key
-        if: matrix.type == 'plus'
-      - name: Fetch N+ AppProtect Certificates
-        env:
-          CRT: ${{ secrets.NGINX_AP_CRT }}
-          KEY: ${{ secrets.NGINX_AP_KEY }}
-        run: |
-          echo "${CRT}" | base64 --decode > nginx-repo.crt
-          echo "${KEY}" | base64 --decode > nginx-repo.key
-        if: matrix.type == 'plus-ap'
       - name: Docker Buildx
         uses: docker/setup-buildx-action@v1
         with:
@@ -393,8 +359,8 @@ jobs:
           tags: ${{ matrix.image }}:${{ matrix.tag }}
           load: true
           secrets: |
-            nginx-repo.crt=${{ secrets.NGINX_CRT }}
-            nginx-repo.key=${{ secrets.NGINX_KEY }}
+            "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+            "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
         if: matrix.type == 'plus'
       - name: Build AP Docker Image ${{ matrix.image }}
         uses: docker/build-push-action@v2
@@ -407,8 +373,8 @@ jobs:
           tags: ${{ matrix.image }}:${{ matrix.tag }}
           load: true
           secrets: |
-            nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}
-            nginx-repo.key=${{ secrets.NGINX_AP_KEY }}
+            "nginx-repo.crt=${{ secrets.KIC_NGINX_AP_CRT }}"
+            "nginx-repo.key=${{ secrets.KIC_NGINX_AP_KEY }}"
         if: matrix.type == 'plus-ap'
       - name: Build Test-Runner Container
         uses: docker/build-push-action@v2
@@ -468,8 +434,8 @@ jobs:
     name: Helm Tests
     runs-on: ${{ matrix.os }}
     needs: [build, binary, unit-tests]
-    if: 
-      github.event_name == 'push' && contains(github.ref, 'release') || 
+    if:
+      github.event_name == 'push' && contains(github.ref, 'release') ||
       github.event_name == 'schedule'
     env:
       NGINX_HTTP_PORT: 8080
@@ -498,14 +464,6 @@ jobs:
         with:
           path: ${{ github.workspace }}/nginx-ingress
           key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
-      - name: Fetch N+ Certificates
-        env:
-          CRT: ${{ secrets.NGINX_CRT }}
-          KEY: ${{ secrets.NGINX_KEY }}
-        run: |
-          echo "${CRT}" | base64 --decode > nginx-repo.crt
-          echo "${KEY}" | base64 --decode > nginx-repo.key
-        if: matrix.type == 'plus'
       - name: Docker Buildx
         uses: docker/setup-buildx-action@v1
         with:
@@ -528,8 +486,8 @@ jobs:
           tags: ${{ matrix.image }}:${{ matrix.tag }}
           load: true
           secrets: |
-            nginx-repo.crt=${{ secrets.NGINX_CRT }}
-            nginx-repo.key=${{ secrets.NGINX_KEY }}
+            "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+            "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
       - name: Deploy Kubernetes
         id: k8s
         run: |
@@ -617,7 +575,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-buildx-
       - name: DockerHub Login
-        uses: docker/login-action@v1 
+        uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -696,8 +654,8 @@ jobs:
           tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ matrix.tags }}
           push: true
           secrets: |
-            nginx-repo.crt=${{ secrets.NGINX_CRT }}
-            nginx-repo.key=${{ secrets.NGINX_KEY }}
+            "nginx-repo.crt=${{ secrets.KIC_NGINX_CRT }}"
+            "nginx-repo.key=${{ secrets.KIC_NGINX_KEY }}"
         if: matrix.image == 'nginx-plus-ingress'
       - name: Push Plus AP to GCR
         uses: docker/build-push-action@v2
@@ -710,19 +668,19 @@ jobs:
           tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ matrix.tags }}
           push: true
           secrets: |
-            nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}
-            nginx-repo.key=${{ secrets.NGINX_AP_KEY }}
-            rhel_license=${{ secrets.RHEL_LICENSE }}
+            "nginx-repo.crt=${{ secrets.KIC_NGINX_AP_CRT }}"
+            "nginx-repo.key=${{ secrets.KIC_NGINX_AP_KEY }}"
+            "rhel_license=${{ secrets.KIC_RHEL_LICENSE }}"
         if: matrix.image == 'nginx-plus-ingress-ap'
-  
+
   release-plus-docker:
     name: Release Plus Images
     runs-on: ubuntu-18.04
     needs: [build, binary, unit-tests, publish-plus-docker]
     if: github.event_name == 'create' && contains(github.ref, 'refs/tags/')
     steps:
       - name: GCR Login
-        uses: docker/login-action@v1 
+        uses: docker/login-action@v1
         with:
           registry: gcr.io
           username: _json_key

Makefile

@@ -22,6 +22,7 @@ lint:
 
 test:
 ifneq ($(BUILD_IN_CONTAINER),1)
+	@go version || (code=$$?; printf "\033[0;31mError\033[0m: unable to build locally, try using the parameter BUILD_IN_CONTAINER=1\n"; exit $$code)
 	GO111MODULE=on GOFLAGS='$(GOFLAGS)' go test ./...
 endif
 
@@ -50,16 +51,16 @@ ifneq ($(BUILD_IN_CONTAINER),1)
 	CGO_ENABLED=0 GO111MODULE=on GOFLAGS='$(GOFLAGS)' GOOS=linux go build -installsuffix cgo -ldflags "-w -X main.version=${VERSION} -X main.gitCommit=${GIT_COMMIT}" -o nginx-ingress github.com/nginxinc/kubernetes-ingress/cmd/nginx-ingress
 endif
 
-prepare-license-secrets:
-ifneq (,$$(findstring PlusForOpenShift,$$(DOCKERFILE)))
-	mkdir -p tempdir && base64 nginx-repo.crt > tempdir/nginx-repo.crt && base64 nginx-repo.key > tempdir/nginx-repo.key && base64 rhel_license > tempdir/rhel_license
-override DOCKER_BUILD_OPTIONS += --secret id=nginx-repo.crt,src=tempdir/nginx-repo.crt --secret id=nginx-repo.key,src=tempdir/nginx-repo.key --secret id=rhel_license,src=tempdir/rhel_license
-else ifneq (,$$(findstring Plus,$$(DOCKERFILE)))
-	mkdir -p tempdir && base64 nginx-repo.crt > tempdir/nginx-repo.crt && base64 nginx-repo.key > tempdir/nginx-repo.key
-override DOCKER_BUILD_OPTIONS += --secret id=nginx-repo.crt,src=tempdir/nginx-repo.crt --secret id=nginx-repo.key,src=tempdir/nginx-repo.key
+prepare-options-secrets:
+ifneq (,$(findstring Plus,$(DOCKERFILE)))
+override DOCKER_BUILD_OPTIONS += --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key
+endif
+ifneq (,$(findstring PlusForOpenShift,$(DOCKERFILE)))
+override DOCKER_BUILD_OPTIONS += --secret id=rhel_license,src=rhel_license
 endif
 
-container: test verify-codegen update-crds binary certificate-and-key prepare-license-secrets
+container: test verify-codegen update-crds binary certificate-and-key prepare-options-secrets
+	@docker -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with Docker\n"; exit $$code)
 ifeq ($(BUILD_IN_CONTAINER),1)
 	docker build $(DOCKER_BUILD_OPTIONS) --build-arg IC_VERSION=$(VERSION)-$(GIT_COMMIT) --build-arg GIT_COMMIT=$(GIT_COMMIT) --build-arg VERSION=$(VERSION) --build-arg GOLANG_CONTAINER=$(GOLANG_CONTAINER) --target container -f $(DOCKERFILEPATH)/$(DOCKERFILE) -t $(PREFIX):$(TAG) .
 else
@@ -75,4 +76,3 @@ endif
 
 clean:
 	rm -f nginx-ingress
-	rm -rf tempdir

build/DockerfileForPlus

@@ -11,11 +11,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
-	--mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	set -x \
-	&& mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt  \
-	&& base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
 	&& apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin \
 	&& \
@@ -42,7 +40,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	          'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
 	&& apt-get remove --purge --auto-remove -y gnupg1 \
 	&& rm -rf /var/lib/apt/lists/* \
-	&& rm -rf /etc/ssl/nginx \
 	&& rm /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list
 
 

build/DockerfileWithOpentracingForPlus

@@ -21,11 +21,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
-	--mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	set -x \
-	&& mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt  \
-	&& base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
 	&& apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin \
 	&& \
@@ -55,7 +53,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	          'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
 	&& apt-get remove --purge --auto-remove -y gnupg1 \
 	&& rm -rf /var/lib/apt/lists/* \
-	&& rm -rf /etc/ssl/nginx \
 	&& rm /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list
 
 

build/appprotect/DockerfileWithAppProtectForPlus

@@ -18,11 +18,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
-	--mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	set -x \
-	&& mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt  \
-	&& base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
 	&& apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin wget \
 	&& \
@@ -62,7 +60,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	          'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
 	&& apt-get remove --purge --auto-remove -y gnupg1 wget\
 	&& rm -rf /var/lib/apt/lists/* \
-	&& rm -rf /etc/ssl/nginx \
 	&& rm /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list \
 	&& rm /etc/apt/apt.conf.d/90app-protect-sigs /etc/apt/sources.list.d/app-protect-sigs.list
 

build/appprotect/DockerfileWithAppProtectForPlusForOpenShift

@@ -21,13 +21,10 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
-	--mount=type=secret,id=nginx-repo.key \
-	--mount=type=secret,id=rhel_license \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+	--mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \
 	set -x \
-	&& mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt  \
-	&& base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
-	&& base64 --decode /run/secrets/rhel_license > /tmp/rhel_license \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
 	&& source /tmp/rhel_license \
@@ -63,7 +60,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
 	          'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
 	&& yum remove -y wget \
-	&& rm -rf /etc/ssl/nginx \
 	&& rm /etc/yum.repos.d/nginx-plus-7.repo \
 	&& rm nginx_signing.key /tmp/rhel_license
 
@@ -105,7 +101,7 @@ RUN printf "MODULE = ALL;\nLOG_LEVEL = TS_CRIT;\nFILE = 2;\n" > /etc/app_protect
 	; do sed -i "/\[$v/a log_level=fatal" "/etc/app_protect/tools/asm_logging.conf" \
 	; done
 
-COPY --chown=nginx:0 build/appprotect/log-default.json /etc/nginx  
+COPY --chown=nginx:0 build/appprotect/log-default.json /etc/nginx
 
 EXPOSE 80 443
 

build/openshift/DockerfileForPlus

@@ -15,11 +15,9 @@ ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
 # and install NGINX Plus
-RUN --mount=type=secret,id=nginx-repo.crt \
-	--mount=type=secret,id=nginx-repo.key \
+RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	set -x \
-	&& mkdir -p /etc/ssl/nginx && base64 --decode /run/secrets/nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt  \
-	&& base64 --decode /run/secrets/nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
 	&& yum install -y wget \
@@ -47,7 +45,6 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
 	          'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
 	&& yum remove -y wget \
-	&& rm -rf /etc/ssl/nginx \
 	&& rm /etc/yum.repos.d/nginx-plus-8.repo \
 	&& rm nginx_signing.key