From ff95341669c07cafdda2867204b52520506ce32b Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 25 Jan 2024 15:41:40 +0100 Subject: [PATCH 1/8] Update molecule.yml --- molecule/dos/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/dos/molecule.yml b/molecule/dos/molecule.yml index 3d9e5cc..3709d5a 100644 --- a/molecule/dos/molecule.yml +++ b/molecule/dos/molecule.yml @@ -39,7 +39,7 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw command: /usr/sbin/init - name: rhel-8 - image: redhat/ubi8:8.7 + image: redhat/ubi8:8.9 platform: amd64 dockerfile: ../common/Dockerfile.j2 privileged: true From 7fc79a5f7805cc9d5d3029cde39fb1c36f2774c7 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 25 Jan 2024 15:41:59 +0100 Subject: [PATCH 2/8] Update molecule.yml --- .github/workflows/molecule.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 5409b42..9aa3c81 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -54,17 +54,21 @@ jobs: - uninstall steps: - name: Check out the codebase + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} uses: actions/checkout@v4 - name: Set up Python 3 + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} uses: actions/setup-python@v5 with: python-version: 3.x - name: Install Molecule dependencies + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} run: pip3 install -r .github/workflows/requirements/requirements_molecule.txt - name: Install Ansible core dependencies + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} run: ansible-galaxy install -r .github/workflows/requirements/requirements_ansible.yml - name: Run Molecule tests @@ -73,4 +77,3 @@ jobs: env: PY_COLORS: 1 ANSIBLE_FORCE_COLOR: 1 - From 2e056729c738233ed0dce8fe8c74952b8fcaa763 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 26 Jan 2024 15:44:45 +0100 Subject: [PATCH 3/8] version checks --- molecule/default/converge.yml | 28 +++++++++---------- molecule/default/molecule.yml | 4 +-- .../prerequisites/install-dependencies.yml | 12 ++++---- tasks/common/validate/validate.yml | 20 +++++++++---- 4 files changed, 35 insertions(+), 29 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 1162be2..7a4601f 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,23 +1,23 @@ --- - name: Converge hosts: all - vars: - rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - ansible.builtin.set_fact: - rhel_subscription: true - when: - - lookup('env', 'RHEL_USERNAME') | length > 0 - - lookup('env', 'RHEL_PASSWORD') | length > 0 - - - name: (RHEL) Register system into RHEL subscription manager - community.general.redhat_subscription: - username: "{{ lookup('env', 'RHEL_USERNAME') }}" - password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - ansible_facts['distribution'] == "RedHat" - - rhel_subscription | bool + - ansible_facts['distribution_major_version'] is version('8', '>=') + block: + - name: (RHEL) Pre-emptively fail + ansible.builtin.fail: + msg: "RHEL subscription is required for this role to work on RHEL 8/9" + when: + - lookup('env', 'RHEL_USERNAME') | length == 0 + - lookup('env', 'RHEL_PASSWORD') | length == 0 + + - name: (RHEL) Register system into RHEL subscription manager + community.general.redhat_subscription: + username: "{{ lookup('env', 'RHEL_USERNAME') }}" + password: "{{ lookup('env', 'RHEL_PASSWORD') }}" tasks: - name: Install NGINX App Protect WAF ansible.builtin.include_role: @@ -26,7 +26,7 @@ nginx_app_protect_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key - nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}" + nginx_app_protect_use_rhel_subscription_repos: false nginx_app_protect_remove_license: false nginx_app_protect_waf_install_signatures: true nginx_app_protect_waf_install_threat_campaigns: true diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index fc436ce..7564089 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -66,7 +66,7 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw command: /usr/sbin/init - name: rhel-8 - image: redhat/ubi8:8.7 + image: redhat/ubi8:8.9 platform: amd64 dockerfile: ../common/Dockerfile.j2 privileged: true @@ -75,7 +75,7 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw command: /usr/sbin/init - name: rhel-9 - image: redhat/ubi9:9.1.0 + image: redhat/ubi9:9.3 env: SMDEV_CONTAINER_OFF: "1" platform: amd64 diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index 939ffa6..2dde4fb 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -63,10 +63,10 @@ - not nginx_app_protect_use_rhel_subscription_repos | bool - nginx_app_protect_dos_enable | bool - - name: (RHEL) Enable RHEL subscription manager repos management - ansible.builtin.command: subscription-manager config --rhsm.manage_repos=1 - changed_when: false - when: nginx_app_protect_use_rhel_subscription_repos | bool + # - name: (RHEL) Enable RHEL subscription manager repos management + # ansible.builtin.command: subscription-manager config --rhsm.manage_repos=1 + # changed_when: false + # when: nginx_app_protect_use_rhel_subscription_repos | bool - name: (RHEL 7) Set up RHEL dependencies from RHEL official repositories community.general.rhsm_repository: @@ -81,9 +81,7 @@ - name: (RHEL 8/9) Set up RHEL dependencies from RHEL official repositories community.general.rhsm_repository: name: codeready-builder-for-rhel-{{ ansible_facts['distribution_major_version'] }}-x86_64-rpms - when: - - ansible_facts['distribution_major_version'] is version('8', '>=') - - nginx_app_protect_use_rhel_subscription_repos | bool + when: ansible_facts['distribution_major_version'] is version('8', '>=') - name: (Oracle Linux) Set up Oracle Linux specific repositories community.general.ini_file: diff --git a/tasks/common/validate/validate.yml b/tasks/common/validate/validate.yml index 49ce48c..480a592 100644 --- a/tasks/common/validate/validate.yml +++ b/tasks/common/validate/validate.yml @@ -25,14 +25,22 @@ - nginx_app_protect_dos_state != "absent" ignore_errors: true # noqa ignore-errors -- name: Warn if installing NGINX App Protect on RHEL >7 without subscription details - ansible.builtin.fail: - msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true. +- name: Check if you can run NAP when: - ansible_facts['distribution'] == "RedHat" - - ansible_facts['distribution_major_version'] is version('7', '>') - - not nginx_app_protect_use_rhel_subscription_repos | bool - ignore_errors: true # noqa ignore-errors + # - ansible_facts['distribution_major_version'] is version('7', '>') + - nginx_app_protect_use_rhel_subscription_repos | bool + block: + - name: Check if Red Hat subscription is active + ansible.builtin.command: subscription-manager status + register: rh_subscription_status + changed_when: false + + - name: Fail if installing NGINX App Protect on RHEL >7 without subscription details + ansible.builtin.fail: + msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role. + when: + - "'Current' not in rh_subscription_status['stdout']" - name: Check that 'nginx_app_protect_waf_setup' is an allowed value ansible.builtin.assert: From 65403af94f3b331d52dd6e7f03bcc3ad47249797 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Tue, 6 Feb 2024 12:25:38 +0100 Subject: [PATCH 4/8] update check --- molecule/dos/converge.yml | 26 +++++++++++++------------- molecule/uninstall/prepare.yml | 26 +++++++++++++------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/molecule/dos/converge.yml b/molecule/dos/converge.yml index 9868680..1c83827 100644 --- a/molecule/dos/converge.yml +++ b/molecule/dos/converge.yml @@ -1,23 +1,23 @@ --- - name: Converge hosts: all - vars: - rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - ansible.builtin.set_fact: - rhel_subscription: true - when: - - lookup('env', 'RHEL_USERNAME') | length > 0 - - lookup('env', 'RHEL_PASSWORD') | length > 0 - - - name: (RHEL) Register system into RHEL subscription manager - community.general.redhat_subscription: - username: "{{ lookup('env', 'RHEL_USERNAME') }}" - password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - ansible_facts['distribution'] == "RedHat" - - rhel_subscription| bool + - ansible_facts['distribution_major_version'] is version('8', '>=') + block: + - name: (RHEL) Pre-emptively fail + ansible.builtin.fail: + msg: "RHEL subscription is required for this role to work on RHEL 8/9" + when: + - lookup('env', 'RHEL_USERNAME') | length == 0 + - lookup('env', 'RHEL_PASSWORD') | length == 0 + + - name: (RHEL) Register system into RHEL subscription manager + community.general.redhat_subscription: + username: "{{ lookup('env', 'RHEL_USERNAME') }}" + password: "{{ lookup('env', 'RHEL_PASSWORD') }}" tasks: - name: Install NGINX App Protect DoS ansible.builtin.include_role: diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index 08815f0..107bd81 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -19,23 +19,23 @@ - name: Install NGINX App Protect WAF and DoS hosts: all - vars: - rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - ansible.builtin.set_fact: - rhel_subscription: true - when: - - lookup('env', 'RHEL_USERNAME') | length > 0 - - lookup('env', 'RHEL_PASSWORD') | length > 0 - - - name: (RHEL) Register system into RHEL subscription manager - community.general.redhat_subscription: - username: "{{ lookup('env', 'RHEL_USERNAME') }}" - password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - ansible_facts['distribution'] == "RedHat" - - rhel_subscription| bool + - ansible_facts['distribution_major_version'] is version('8', '>=') + block: + - name: (RHEL) Pre-emptively fail + ansible.builtin.fail: + msg: "RHEL subscription is required for this role to work on RHEL 8/9" + when: + - lookup('env', 'RHEL_USERNAME') | length == 0 + - lookup('env', 'RHEL_PASSWORD') | length == 0 + + - name: (RHEL) Register system into RHEL subscription manager + community.general.redhat_subscription: + username: "{{ lookup('env', 'RHEL_USERNAME') }}" + password: "{{ lookup('env', 'RHEL_PASSWORD') }}" tasks: - name: Install NGINX App Protect WAF ansible.builtin.include_role: From 022281d2fd65158234cb1aa27ce8f35d0af8007c Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Tue, 6 Feb 2024 13:54:02 +0100 Subject: [PATCH 5/8] fix --- molecule/dos/converge.yml | 2 +- molecule/uninstall/prepare.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/molecule/dos/converge.yml b/molecule/dos/converge.yml index 1c83827..9d8d719 100644 --- a/molecule/dos/converge.yml +++ b/molecule/dos/converge.yml @@ -25,7 +25,7 @@ vars: nginx_app_protect_waf_enable: false nginx_app_protect_dos_enable: true - nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}" + nginx_app_protect_use_rhel_subscription_repos: false nginx_app_protect_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index 107bd81..e6d244f 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -41,7 +41,7 @@ ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: - nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}" + nginx_app_protect_use_rhel_subscription_repos: false nginx_app_protect_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key From 0c6284a2294bc95941d413528e273cb2f1749de2 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Wed, 7 Feb 2024 18:49:59 +0100 Subject: [PATCH 6/8] Update prepare.yml --- molecule/uninstall/prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index e6d244f..160261d 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -55,4 +55,4 @@ state: absent when: - ansible_facts['distribution'] == "RedHat" - - rhel_subscription | bool + - ansible_facts['distribution_major_version'] is version('8', '>=') From fc04246b150233743d63c7497184703aca9ceb56 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Wed, 7 Feb 2024 19:09:49 +0100 Subject: [PATCH 7/8] Update prepare.yml --- molecule/uninstall/prepare.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index 160261d..6841d2d 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -49,10 +49,3 @@ nginx_app_protect_waf_install_signatures: true nginx_app_protect_waf_install_threat_campaigns: true nginx_app_protect_dos_enable: true - post_tasks: - - name: (RHEL) Unregister system from RHEL subscription manager - community.general.redhat_subscription: - state: absent - when: - - ansible_facts['distribution'] == "RedHat" - - ansible_facts['distribution_major_version'] is version('8', '>=') From 829a40dbf0071b61e1c99ca7677e7fdc49dbfa3b Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Sun, 28 Jul 2024 21:53:12 +0200 Subject: [PATCH 8/8] update --- molecule/advanced/prepare.yml | 4 ++-- molecule/common/prepare.yml | 4 ++-- molecule/uninstall/prepare.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/molecule/advanced/prepare.yml b/molecule/advanced/prepare.yml index 40d4002..ce35bef 100644 --- a/molecule/advanced/prepare.yml +++ b/molecule/advanced/prepare.yml @@ -3,14 +3,14 @@ hosts: localhost gather_facts: false tasks: - - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license certificate file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: "0444" - - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license key file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key diff --git a/molecule/common/prepare.yml b/molecule/common/prepare.yml index 42445dd..4044500 100644 --- a/molecule/common/prepare.yml +++ b/molecule/common/prepare.yml @@ -3,14 +3,14 @@ hosts: localhost gather_facts: false tasks: - - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license certificate file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: "0444" - - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license key file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index 6841d2d..05b117c 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -5,14 +5,14 @@ tasks: - name: Create ephemeral license certificate file from b64 decoded env var ansible.builtin.copy: - content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" # noqa template-instead-of-copy + content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: "0444" - name: Create ephemeral license key file from b64 decoded env var ansible.builtin.copy: - content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" # noqa template-instead-of-copy + content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key force: false mode: "0444"