feat!: Add support for NGINX Plus R33 and the new JWT license (#814)

Author: alessfg

Diff for: .github/workflows/molecule.yml

@@ -44,6 +44,7 @@ jobs:
       AMPLIFY_PASSWORD: ${{ secrets.AMPLIFY_PASSWORD }}
       NGINX_CRT: ${{ secrets.NGINX_CRT }}
       NGINX_KEY: ${{ secrets.NGINX_KEY }}
+      NGINX_JWT: ${{ secrets.NGINX_JWT }}
       ONE_API_TOKEN: ${{ secrets.ONE_API_TOKEN }}
       ONE_TENANT: ${{ secrets.ONE_TENANT }}
     strategy:

Diff for: .gitignore

@@ -1,25 +1,41 @@
-# Any private crt and keys #
-############################
+########################
+# Any crt/keys/license #
+########################
 *.crt
 *.key
+*.jwt
+
+##########################
+# Backup/temporary files #
+##########################
 *~
 \#*
 
-# OS Specific #
-###############
+##################
+# MacOS specific #
+##################
 Thumbs.db
 .DS_Store
 .vscode
 
+########################
+# Code editor specific #
+########################
+.idea
+.vscode
+
+####################
 # Ansible specific #
 ####################
 .cache
 *.retry
 
+###################
 # Python specific #
 ###################
 __pycache__
 
+########
 # Logs #
 ########
 *.log

Diff for: CHANGELOG.md

@@ -4,19 +4,21 @@
 
 BREAKING CHANGES:
 
+- NGINX Plus requires a JWT license starting with R33. Make sure you include the path to the base64 encoded JWT license using the new `nginx_license['jwt']` parameter.
 - Remove support for RHEL 7 based distributions (RHEL/CentOS/Oracle Linux 7). CentOS 7 has reached EoL, RHEL 7 has reached EoM, and Oracle Linux 7 will reach EoL shortly. These distributions will not be supported by new NGINX releases moving forward. If you are still using one of these distributions, please consider upgrading. If you still want to use this role for the time being, please use the previous release (0.24.3). Do note that you will only be able to use NGINX versions released as of the date of the aforementioned release (July 11, 2024).
-- Remove support for installing NGINX Open Source on Alpine Linux 3.16.
+- Remove support for installing NGINX Open Source and NGINX Plus on Alpine Linux 3.16.
+- Remove support for installing NGINX Open Source on Ubuntu mantic.
 - No longer omit `allow_downgrade` module parameter when running Ansible versions lower than `2.12`.
 
 FEATURES:
 
 - Add support for templating the entire NGINX Agent configuration file.
 - Add support for installing and configuring the NGINX Plus HA keepalived package.
 - Add validation tasks to check the Ansible version, the Jinja2 version, whether the required Ansible collections for this role are installed, and whether you are trying to install a valid NGINX module.
-- Add support for installing NGINX Open Source on Alpine Linux 3.20.
+- Add support for installing NGINX Open Source and NGINX Plus on Alpine Linux 3.20.
+- Add support for installing NGINX Open Source on Ubuntu oracular.
 - Add support for installing NGINX Agent on Ubuntu noble.
 - Bump the minimum version of Ansible supported to `2.16`, whilst clarifying that Ansible `2.18` is not supported at this stage.
-- Bump the Ansible `community.general` collection to `9.2.0`, `community.crypto` collection to `2.21.1` and `community.docker` collection to `3.11.0`.
 
 DOCUMENTATION:
 
@@ -34,7 +36,7 @@ MAINTENANCE:
 
 CI/CD:
 
-- Update GitHub Actions to Ubuntu 24.04.
+- Update GitHub Actions to Ubuntu 24.04 (noble).
 - Switch GitHub Actions from using tags to release hashes.
 - Remove commented out Molecule platforms and GitHub Actions QEMU step for the time being. These changes will be reverted if multi-arch testing can be reinstated in GitHub Actions.
 - Bump the minimum version of Ansible supported on Ansible Galaxy to `2.16`.

Diff for: defaults/main/main.yml

@@ -79,11 +79,16 @@ nginx_static_modules: [http_ssl_module]
 # Default is mainline.
 nginx_branch: mainline
 
-# Location of your NGINX Plus license in your local machine.
+# Location of your NGINX Plus license (certificate, key, and JWT) in your local machine. The license JWT is only required starting with NGINX Plus R33 and later.
+# For the license JWT, you can optionally specify a custom destination path for the JWT by using the 'src' and 'dest' parameters.
 # Default is the files folder within the NGINX Ansible role.
 nginx_license:
   certificate: license/nginx-repo.crt
   key: license/nginx-repo.key
+  jwt: license/license.jwt
+  # jwt:
+  #   src: license/license.jwt
+  #   dest: /etc/nginx/license.jwt
 
 # Set up NGINX Plus license before installation.
 # Default is true.

Diff for: molecule/agent/molecule.yml

@@ -93,6 +93,7 @@ platforms:
     command: /usr/sbin/init
   - name: oraclelinux-9
     image: oraclelinux:9
+    platform: x86_64
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
@@ -108,7 +109,7 @@ platforms:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
   - name: rhel-9
-    image: redhat/ubi9:9.4
+    image: redhat/ubi9:9.5
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host

Diff for: molecule/amplify/molecule.yml

@@ -28,7 +28,7 @@ platforms:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
   - name: rhel-9
-    image: redhat/ubi9:9.4
+    image: redhat/ubi9:9.5
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host

Diff for: molecule/default/molecule.yml

@@ -93,6 +93,7 @@ platforms:
     command: /usr/sbin/init
   - name: oraclelinux-9
     image: oraclelinux:9
+    platform: x86_64
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
@@ -108,7 +109,7 @@ platforms:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
   - name: rhel-9
-    image: redhat/ubi9:9.4
+    image: redhat/ubi9:9.5
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
@@ -156,16 +157,16 @@ platforms:
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /sbin/init
-  - name: ubuntu-mantic
-    image: ubuntu:mantic
+  - name: ubuntu-noble
+    image: ubuntu:noble
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /sbin/init
-  - name: ubuntu-noble
-    image: ubuntu:noble
+  - name: ubuntu-oracular
+    image: ubuntu:oracular
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host

Diff for: molecule/distribution/molecule.yml

@@ -93,6 +93,7 @@ platforms:
     command: /usr/sbin/init
   - name: oraclelinux-9
     image: oraclelinux:9
+    platform: x86_64
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
@@ -108,7 +109,7 @@ platforms:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
   - name: rhel-9
-    image: redhat/ubi9:9.4
+    image: redhat/ubi9:9.5
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
@@ -156,16 +157,16 @@ platforms:
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /sbin/init
-  - name: ubuntu-mantic
-    image: ubuntu:mantic
+  - name: ubuntu-noble
+    image: ubuntu:noble
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /sbin/init
-  - name: ubuntu-noble
-    image: ubuntu:noble
+  - name: ubuntu-oracular
+    image: ubuntu:oracular
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host

Diff for: molecule/downgrade-plus/converge.yml

@@ -4,22 +4,22 @@
   pre_tasks:
     - name: Set repo if Alpine
       ansible.builtin.set_fact:
-        version: =31-r1
+        version: =32-r1
         cacheable: true
       when: ansible_facts['os_family'] == "Alpine"
     - name: Set repo if Debian
       ansible.builtin.set_fact:
-        version: =31-1~{{ ansible_facts['distribution_release'] }}
+        version: =32-1~{{ ansible_facts['distribution_release'] }}
         cacheable: true
       when: ansible_facts['os_family'] == "Debian"
     - name: Set repo if Red Hat
       ansible.builtin.set_fact:
-        version: -31-1.{{ (ansible_facts['distribution'] == "Amazon") | ternary(('amzn' + ansible_facts['distribution_major_version'] | string), ('el' + ansible_facts['distribution_major_version'] | string)) }}.ngx
+        version: -32-1.{{ (ansible_facts['distribution'] == "Amazon") | ternary(('amzn' + ansible_facts['distribution_major_version'] | string), ('el' + ansible_facts['distribution_major_version'] | string)) }}.ngx
         cacheable: true
       when: ansible_facts['os_family'] == "RedHat"
     - name: Set repo if SLES
       ansible.builtin.set_fact:
-        version: =31-1.sles{{ ansible_facts['distribution_major_version'] }}.ngx
+        version: =32-1.sles{{ ansible_facts['distribution_major_version'] }}.ngx
         cacheable: true
       when: ansible_facts['os_family'] == "Suse"
   tasks:

Diff for: molecule/downgrade-plus/molecule.yml

@@ -1,7 +1,7 @@
 ---
 driver:
   name: docker
-platforms: # Ubuntu noble only has one version of NGINX Plus available (at the moment) so it's impossible to test the downgrade scenario
+platforms: # Alpine Linux 3.20 only has one version of NGINX Plus available (at the moment) so it's impossible to test the downgrade scenario
   - name: almalinux-8
     image: almalinux:8
     dockerfile: ../common/Dockerfile.j2
@@ -18,15 +18,6 @@ platforms: # Ubuntu noble only has one version of NGINX Plus available (at the m
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
-  - name: alpine-3.16
-    image: alpine:3.16
-    platform: x86_64
-    dockerfile: ../common/Dockerfile.j2
-    privileged: true
-    cgroupns_mode: host
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-    command: /sbin/init
   - name: alpine-3.17
     image: alpine:3.17
     dockerfile: ../common/Dockerfile.j2
@@ -51,6 +42,15 @@ platforms: # Ubuntu noble only has one version of NGINX Plus available (at the m
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /sbin/init
+  # - name: alpine-3.20
+  #   image: alpine:3.20
+  #   platform: x86_64
+  #   dockerfile: ../common/Dockerfile.j2
+  #   privileged: true
+  #   cgroupns_mode: host
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  #   command: /sbin/init
   - name: amazonlinux-2
     image: amazonlinux:2
     platform: x86_64
@@ -94,6 +94,7 @@ platforms: # Ubuntu noble only has one version of NGINX Plus available (at the m
     command: /usr/sbin/init
   - name: oraclelinux-9
     image: oraclelinux:9
+    platform: x86_64
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
@@ -109,7 +110,7 @@ platforms: # Ubuntu noble only has one version of NGINX Plus available (at the m
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
   - name: rhel-9
-    image: redhat/ubi9:9.4
+    image: redhat/ubi9:9.5
     dockerfile: ../common/Dockerfile.j2
     privileged: true
     cgroupns_mode: host
@@ -157,14 +158,14 @@ platforms: # Ubuntu noble only has one version of NGINX Plus available (at the m
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /sbin/init
-  # - name: ubuntu-noble
-  #   image: ubuntu:noble
-  #   dockerfile: ../common/Dockerfile.j2
-  #   privileged: true
-  #   cgroupns_mode: host
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
-  #   command: /sbin/init
+  - name: ubuntu-noble
+    image: ubuntu:noble
+    dockerfile: ../common/Dockerfile.j2
+    privileged: true
+    cgroupns_mode: host
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    command: /sbin/init
 provisioner:
   name: ansible
   playbooks:

Diff for: molecule/downgrade-plus/prepare.yml

@@ -17,6 +17,13 @@
         force: false
         mode: "0444"
 
+    - name: Create ephemeral license JWT file from b64 encoded env var
+      ansible.builtin.copy:
+        content: "{{ lookup('env', 'NGINX_JWT') }}"
+        dest: ../../files/license/license.jwt
+        force: false
+        mode: "0444"
+
 - name: Prepare NGINX Plus
   hosts: all
   tasks:
@@ -28,3 +35,4 @@
         nginx_license:
           certificate: license/nginx-repo.crt
           key: license/nginx-repo.key
+          jwt: license/license.jwt

Diff for: molecule/downgrade/converge.yml

@@ -4,22 +4,22 @@
   pre_tasks:
     - name: Set repo if Alpine
       ansible.builtin.set_fact:
-        version: =1.25.5-r1
+        version: =1.27.1-r1
         cacheable: true
       when: ansible_facts['os_family'] == "Alpine"
     - name: Set repo if Debian
       ansible.builtin.set_fact:
-        version: =1.25.5-1~{{ ansible_facts['distribution_release'] }}
+        version: =1.27.1-1~{{ ansible_facts['distribution_release'] }}
         cacheable: true
       when: ansible_facts['os_family'] == "Debian"
     - name: Set repo if Red Hat
       ansible.builtin.set_fact:
-        version: -1.25.5-1.{{ (ansible_facts['distribution'] == "Amazon") | ternary(('amzn' + ansible_facts['distribution_major_version'] | string), ('el' + ansible_facts['distribution_major_version'] | string)) }}.ngx
+        version: -1.27.1-1.{{ (ansible_facts['distribution'] == "Amazon") | ternary(('amzn' + ansible_facts['distribution_major_version'] | string), ('el' + ansible_facts['distribution_major_version'] | string)) }}.ngx
         cacheable: true
       when: ansible_facts['os_family'] == "RedHat"
     - name: Set repo if SLES
       ansible.builtin.set_fact:
-        version: =1.25.5-1.sles{{ ansible_facts['distribution_major_version'] }}.ngx
+        version: =1.27.1-1.sles{{ ansible_facts['distribution_major_version'] }}.ngx
         cacheable: true
       when: ansible_facts['os_family'] == "Suse"
   tasks: