Update RHEL UBI images and improve RHEL subscription manager detection

.github/workflows/molecule.yml

@@ -54,17 +54,21 @@ jobs:
           - uninstall
     steps:
       - name: Check out the codebase
+        if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }}
         uses: actions/checkout@v4
 
       - name: Set up Python 3
+        if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }}
         uses: actions/setup-python@v5
         with:
           python-version: 3.x
 
       - name: Install Molecule dependencies
+        if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }}
         run: pip3 install -r .github/workflows/requirements/requirements_molecule.txt
 
       - name: Install Ansible core dependencies
+        if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }}
         run: ansible-galaxy install -r .github/workflows/requirements/requirements_ansible.yml
 
       - name: Run Molecule tests
@@ -73,4 +77,3 @@ jobs:
         env:
           PY_COLORS: 1
           ANSIBLE_FORCE_COLOR: 1
-

molecule/advanced/prepare.yml

@@ -3,14 +3,14 @@
   hosts: localhost
   gather_facts: false
   tasks:
-    - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy
+    - name: Create ephemeral license certificate file from b64 decoded env var
       ansible.builtin.copy:
         content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}"
         dest: ../../files/license/nginx-repo.crt
         force: false
         mode: "0444"
 
-    - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy
+    - name: Create ephemeral license key file from b64 decoded env var
       ansible.builtin.copy:
         content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}"
         dest: ../../files/license/nginx-repo.key

molecule/common/prepare.yml

@@ -3,14 +3,14 @@
   hosts: localhost
   gather_facts: false
   tasks:
-    - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy
+    - name: Create ephemeral license certificate file from b64 decoded env var
       ansible.builtin.copy:
         content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}"
         dest: ../../files/license/nginx-repo.crt
         force: false
         mode: "0444"
 
-    - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy
+    - name: Create ephemeral license key file from b64 decoded env var
       ansible.builtin.copy:
         content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}"
         dest: ../../files/license/nginx-repo.key

molecule/default/converge.yml

@@ -1,23 +1,23 @@
 ---
 - name: Converge
   hosts: all
-  vars:
-    rhel_subscription: false
   pre_tasks:
     - name: (RHEL) Check if there is a valid RHEL subscription
-      ansible.builtin.set_fact:
-        rhel_subscription: true
-      when:
-        - lookup('env', 'RHEL_USERNAME') | length > 0
-        - lookup('env', 'RHEL_PASSWORD') | length > 0
-
-    - name: (RHEL) Register system into RHEL subscription manager
-      community.general.redhat_subscription:
-        username: "{{ lookup('env', 'RHEL_USERNAME') }}"
-        password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
       when:
         - ansible_facts['distribution'] == "RedHat"
-        - rhel_subscription | bool
+        - ansible_facts['distribution_major_version'] is version('8', '>=')
+      block:
+        - name: (RHEL) Pre-emptively fail
+          ansible.builtin.fail:
+            msg: "RHEL subscription is required for this role to work on RHEL 8/9"
+          when:
+            - lookup('env', 'RHEL_USERNAME') | length == 0
+            - lookup('env', 'RHEL_PASSWORD') | length == 0
+
+        - name: (RHEL) Register system into RHEL subscription manager
+          community.general.redhat_subscription:
+            username: "{{ lookup('env', 'RHEL_USERNAME') }}"
+            password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
   tasks:
     - name: Install NGINX App Protect WAF
       ansible.builtin.include_role:
@@ -26,7 +26,7 @@
         nginx_app_protect_license:
           certificate: license/nginx-repo.crt
           key: license/nginx-repo.key
-        nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}"
+        nginx_app_protect_use_rhel_subscription_repos: false
         nginx_app_protect_remove_license: false
         nginx_app_protect_waf_install_signatures: true
         nginx_app_protect_waf_install_threat_campaigns: true

molecule/default/molecule.yml

@@ -39,7 +39,7 @@ platforms:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
   - name: rhel-8
-    image: redhat/ubi8:8.7
+    image: redhat/ubi8:8.10
     platform: x86_64
     dockerfile: ../common/Dockerfile.j2
     privileged: true
@@ -48,7 +48,7 @@ platforms:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /usr/sbin/init
   - name: rhel-9
-    image: redhat/ubi9:9.1.0
+    image: redhat/ubi9:9.4
     env:
       SMDEV_CONTAINER_OFF: "1"
     platform: x86_64

molecule/dos/converge.yml

@@ -1,31 +1,31 @@
 ---
 - name: Converge
   hosts: all
-  vars:
-    rhel_subscription: false
   pre_tasks:
     - name: (RHEL) Check if there is a valid RHEL subscription
-      ansible.builtin.set_fact:
-        rhel_subscription: true
-      when:
-        - lookup('env', 'RHEL_USERNAME') | length > 0
-        - lookup('env', 'RHEL_PASSWORD') | length > 0
-
-    - name: (RHEL) Register system into RHEL subscription manager
-      community.general.redhat_subscription:
-        username: "{{ lookup('env', 'RHEL_USERNAME') }}"
-        password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
       when:
         - ansible_facts['distribution'] == "RedHat"
-        - rhel_subscription| bool
+        - ansible_facts['distribution_major_version'] is version('8', '>=')
+      block:
+        - name: (RHEL) Pre-emptively fail
+          ansible.builtin.fail:
+            msg: "RHEL subscription is required for this role to work on RHEL 8/9"
+          when:
+            - lookup('env', 'RHEL_USERNAME') | length == 0
+            - lookup('env', 'RHEL_PASSWORD') | length == 0
+
+        - name: (RHEL) Register system into RHEL subscription manager
+          community.general.redhat_subscription:
+            username: "{{ lookup('env', 'RHEL_USERNAME') }}"
+            password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
   tasks:
     - name: Install NGINX App Protect DoS
       ansible.builtin.include_role:
         name: ansible-role-nginx-app-protect
       vars:
         nginx_app_protect_waf_enable: false
         nginx_app_protect_dos_enable: true
-        nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}"
+        nginx_app_protect_use_rhel_subscription_repos: false
         nginx_app_protect_license:
           certificate: license/nginx-repo.crt
           key: license/nginx-repo.key

molecule/dos/molecule.yml

@@ -12,7 +12,7 @@ platforms:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     command: /sbin/init
   - name: rhel-8
-    image: redhat/ubi8:8.7
+    image: redhat/ubi8:8.10
     platform: x86_64
     dockerfile: ../common/Dockerfile.j2
     privileged: true

molecule/uninstall/prepare.yml

@@ -5,54 +5,47 @@
   tasks:
     - name: Create ephemeral license certificate file from b64 decoded env var
       ansible.builtin.copy:
-        content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" # noqa template-instead-of-copy
+        content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}"
         dest: ../../files/license/nginx-repo.crt
         force: false
         mode: "0444"
 
     - name: Create ephemeral license key file from b64 decoded env var
       ansible.builtin.copy:
-        content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" # noqa template-instead-of-copy
+        content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}"
         dest: ../../files/license/nginx-repo.key
         force: false
         mode: "0444"
 
 - name: Install NGINX App Protect WAF and DoS
   hosts: all
-  vars:
-    rhel_subscription: false
   pre_tasks:
     - name: (RHEL) Check if there is a valid RHEL subscription
-      ansible.builtin.set_fact:
-        rhel_subscription: true
-      when:
-        - lookup('env', 'RHEL_USERNAME') | length > 0
-        - lookup('env', 'RHEL_PASSWORD') | length > 0
-
-    - name: (RHEL) Register system into RHEL subscription manager
-      community.general.redhat_subscription:
-        username: "{{ lookup('env', 'RHEL_USERNAME') }}"
-        password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
       when:
         - ansible_facts['distribution'] == "RedHat"
-        - rhel_subscription| bool
+        - ansible_facts['distribution_major_version'] is version('8', '>=')
+      block:
+        - name: (RHEL) Pre-emptively fail
+          ansible.builtin.fail:
+            msg: "RHEL subscription is required for this role to work on RHEL 8/9"
+          when:
+            - lookup('env', 'RHEL_USERNAME') | length == 0
+            - lookup('env', 'RHEL_PASSWORD') | length == 0
+
+        - name: (RHEL) Register system into RHEL subscription manager
+          community.general.redhat_subscription:
+            username: "{{ lookup('env', 'RHEL_USERNAME') }}"
+            password: "{{ lookup('env', 'RHEL_PASSWORD') }}"
   tasks:
     - name: Install NGINX App Protect WAF
       ansible.builtin.include_role:
         name: ansible-role-nginx-app-protect
       vars:
-        nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}"
+        nginx_app_protect_use_rhel_subscription_repos: false
         nginx_app_protect_license:
           certificate: license/nginx-repo.crt
           key: license/nginx-repo.key
         nginx_app_protect_waf_enable: true
         nginx_app_protect_waf_install_signatures: true
         nginx_app_protect_waf_install_threat_campaigns: true
         nginx_app_protect_dos_enable: true
-  post_tasks:
-    - name: (RHEL) Unregister system from RHEL subscription manager
-      community.general.redhat_subscription:
-        state: absent
-      when:
-        - ansible_facts['distribution'] == "RedHat"
-        - rhel_subscription | bool

tasks/common/validate/validate.yml

@@ -25,13 +25,22 @@
     - nginx_app_protect_dos_state != "absent"
   ignore_errors: true # noqa ignore-errors
 
-- name: Warn if installing NGINX App Protect on RHEL >7 without subscription details
-  ansible.builtin.fail:
-    msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true.
+- name: Check if you can run NAP
   when:
     - ansible_facts['distribution'] == "RedHat"
-    - not nginx_app_protect_use_rhel_subscription_repos | bool
-  ignore_errors: true # noqa ignore-errors
+    # - ansible_facts['distribution_major_version'] is version('7', '>')
+    - nginx_app_protect_use_rhel_subscription_repos | bool
+  block:
+    - name: Check if Red Hat subscription is active
+      ansible.builtin.command: subscription-manager status
+      register: rh_subscription_status
+      changed_when: false
+
+    - name: Fail if installing NGINX App Protect on RHEL >7 without subscription details
+      ansible.builtin.fail:
+        msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role.
+      when:
+        - "'Current' not in rh_subscription_status['stdout']"
 
 - name: Check that 'nginx_app_protect_waf_setup' is an allowed value
   ansible.builtin.assert: