diff --git a/.ansible-lint b/.ansible-lint index 04a344e1..27105069 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,5 +3,4 @@ offline: true exclude_paths: - .github/ skip_list: - - schema[meta] - yaml[line-length] diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml index b00e475a..df37a618 100644 --- a/.github/workflows/f5-cla.yml +++ b/.github/workflows/f5-cla.yml @@ -1,38 +1,39 @@ +--- name: F5 CLA on: issue_comment: types: [created] pull_request_target: types: [opened, closed, synchronize] - -permissions: - actions: write - pull-requests: write - statuses: write - +permissions: read-all jobs: f5-cla: - runs-on: ubuntu-22.04 + name: F5 CLA + runs-on: ubuntu-24.04 + permissions: + actions: write + pull-requests: write + statuses: write steps: - - name: Run F5 CLA assistant + - name: Run F5 Contributor License Agreement (CLA) assistant if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0 with: - # Any pull request targeting the following branch will trigger a CLA check - branch: 'main' - # Path to the CLA document - path-to-document: 'https://github.com/f5/.github/blob/main/CLA/cla-markdown.md' - # Custom CLA messages - custom-notsigned-prcomment: '🎉 Thank you for your contribution. It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and comment the following to agree:' + # Any pull request targeting the following branch will trigger a CLA check. + branch: main + # Path to the CLA document. + path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md + # Custom CLA messages. + custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:' custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms' custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!' - # Remote repository storing CLA signatures - remote-organization-name: 'f5' - remote-repository-name: 'f5-cla-data' - path-to-signatures: 'signatures/beta/signatures.json' - # Comma seperated list of usernames for maintainers or any other individuals who should not be prompted for a CLA. + # Remote repository storing CLA signatures. + remote-organization-name: f5 + remote-repository-name: f5-cla-data + path-to-signatures: signatures/signatures.json + # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA. allowlist: alessfg, oxpa, bot* - # Do not lock PRs after a merge + # Do not lock PRs after a merge. lock-pullrequest-aftermerge: false env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/galaxy.yml b/.github/workflows/galaxy.yml index 318842c1..7553ee6b 100644 --- a/.github/workflows/galaxy.yml +++ b/.github/workflows/galaxy.yml @@ -1,25 +1,25 @@ --- -name: Ansible Galaxy import +name: Ansible Galaxy Role Import on: release: - types: - - published + types: [published] workflow_dispatch: +permissions: read-all jobs: - galaxy: - name: Galaxy - runs-on: ubuntu-22.04 + ansible-galaxy: + name: Import role to Ansible Galaxy + runs-on: ubuntu-24.04 steps: - name: Check out the codebase - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Python 3 - uses: actions/setup-python@v5 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.x - - name: Install Ansible + - name: Install Ansible core run: pip3 install -r .github/workflows/requirements/requirements_galaxy.txt - - name: Import release to Ansible Galaxy + - name: Import role releases to Ansible Galaxy run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index e920eae3..f3da3ca3 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -2,33 +2,31 @@ name: Molecule CI/CD on: pull_request: - branches: - - main + branches: [main] push: - branches: - - main - tags-ignore: - - "**" + branches: [main] + tags-ignore: ["**"] schedule: - cron: "0 0 1 * *" workflow_dispatch: +permissions: read-all jobs: ansible-lint: name: Ansible Lint - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Check out the codebase - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Python 3 - uses: actions/setup-python@v5 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.x - - name: Install Ansible Lint + - name: Install Ansible core and Ansible Lint run: pip3 install -r .github/workflows/requirements/requirements_ansible_lint.txt - - name: Install Ansible collection dependencies + - name: Install Ansible core collection dependencies run: ansible-galaxy install -r .github/workflows/requirements/requirements_ansible.yml - name: Run Ansible Lint @@ -36,7 +34,7 @@ jobs: molecule: name: Molecule - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 env: NGINX_CRT: ${{ secrets.NGINX_CRT }} NGINX_KEY: ${{ secrets.NGINX_KEY }} @@ -57,15 +55,15 @@ jobs: steps: - name: Check out the codebase if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }} - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Python 3 if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }} - uses: actions/setup-python@v5 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.x - - name: Install Molecule dependencies + - name: Install Ansible core and Molecule if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }} run: pip3 install -r .github/workflows/requirements/requirements_molecule.txt diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml deleted file mode 100644 index a533a4b5..00000000 --- a/.github/workflows/release-drafter.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: Release Drafter -on: - pull_request: - types: - - opened - - reopened - - synchronize - push: - branches: - - main - workflow_dispatch: -jobs: - update_release_draft: - name: Update release draft - runs-on: ubuntu-22.04 - steps: - - uses: release-drafter/release-drafter@v6 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..60d5dcfd --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,20 @@ +--- +name: Release Drafter +on: + push: + branches: [main] + pull_request_target: + types: [opened, reopened, synchronize] +permissions: read-all +jobs: + release-draft: + name: Update release draft + runs-on: ubuntu-24.04 + permissions: + contents: write + pull-requests: write + steps: + - name: Run release drafter + uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index cfd2c1a7..72fa4b39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,15 +6,26 @@ BUG FIXES: - Fix incompatibility when using the `listen` directive and setting both the `quic` and `so_keepalive` parameters. +TESTS: + +- Add Molecule tests covering common NGINX use cases (web server, reverse proxy), enabling the NGINX stub status metrics, and NGINX Plus API and live metrics dashboard. +- Update the platforms used in the various Molecule scenarios. +- Use the local role name (`ansible-role-nginx-config`) instead of the fully qualified role name (`nginxinc.nginx_config`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand. + DOCUMENTATION: - Update community docs per the latest [NGINX template repository](https://github.com/nginxinc/template-repository) guidelines. CI/CD: -- Add Molecule tests covering common NGINX use cases (web server, reverse proxy), enabling the NGINX stub status metrics, and NGINX Plus API and live metrics dashboard. -- Update the platforms used in the various Molecule scenarios. -- Use the local role name (`ansible-role-nginx-config`) instead of the fully qualified role name (`nginxinc.nginx_config`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand. +- Bump the minimum version of Ansible supported on Ansible Galaxy to `2.16`. +- Update GitHub Actions to Ubuntu 24.04. +- Switch GitHub Actions from using tags to release hashes. +- Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG. + +MAINTENANCE: + +- Remove CentOS 7 related artifacts, tests, and metadata since RHEL 7 related distributions are no longer tested nor supported. ## 0.7.1 (October 3rd, 2023) @@ -29,7 +40,7 @@ BUG FIXES: CI/CD: - Uncomment the `ansible-compat` version from the CI/CD pipeline. -- Implement F5 CLA signatures. +- Implement F5 CLA. ## 0.7.0 (July 6, 2023) diff --git a/README.md b/README.md index b71d8774..fcc3bb0e 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ This role configures NGINX Open Source and NGINX Plus on your target host. ### Ansible -- This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core (above `2.12`). +- This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core (above `2.16`). - When using Ansible core, you will also need to install the following collections: ```yaml diff --git a/defaults/main/selinux.yml b/defaults/main/selinux.yml index c7bfbc29..d594c979 100644 --- a/defaults/main/selinux.yml +++ b/defaults/main/selinux.yml @@ -1,5 +1,5 @@ --- -# Set SELinux enforcing for NGINX (Centos/Redhat only) - you may need to open ports on your own +# Set SELinux enforcing for NGINX (Redhat only) - you may need to open ports on your own nginx_config_selinux: false # Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_config_selinux: true) diff --git a/meta/main.yml b/meta/main.yml index a956e583..658c5450 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -7,25 +7,7 @@ galaxy_info: license: Apache License, Version 2.0 - min_ansible_version: '2.12' - - platforms: - - name: Alpine - versions: [all] - - name: Amazon Linux - versions: ['2', '2023'] - - name: Debian - versions: [bullseye, bookworm] - - name: EL - versions: ['7', '8', '9'] - - name: FreeBSD - versions: ['12.1', '12.2', '12.3', '12.4', '13.0', '13.1', '13.2'] - - name: OracleLinux - versions: ['7', '8', '9'] - - name: Ubuntu - versions: [focal, jammy, kinetic, lunar] - - name: SLES - versions: ['12', '15'] + min_ansible_version: '2.16' galaxy_tags: - nginx diff --git a/molecule/common/Dockerfile.j2 b/molecule/common/Dockerfile.j2 index e5918493..5442227b 100644 --- a/molecule/common/Dockerfile.j2 +++ b/molecule/common/Dockerfile.j2 @@ -25,8 +25,7 @@ RUN \ && dnf clean all; \ elif [ $(command -v yum) ]; then \ yum makecache fast \ - && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \ - && yum install -y http://mirror.centos.org/centos/7/os/x86_64/Packages/yum-plugin-copr-1.1.31-54.el7_8.noarch.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libseccomp-2.3.1-4.el7.x86_64.rpm \ + && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-copr yum-plugin-ovl \ && yum copr enable -y jsynacek/systemd-backports-for-centos-7 \ && yum update --disableplugin=priorities -y systemd \ && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \ diff --git a/molecule/common/requirements/oss_requirements.yml b/molecule/common/requirements/oss_requirements.yml index 16638666..c0396ce9 100644 --- a/molecule/common/requirements/oss_requirements.yml +++ b/molecule/common/requirements/oss_requirements.yml @@ -1,4 +1,4 @@ --- roles: - name: nginxinc.nginx - version: 0.24.0 + version: 0.24.3 diff --git a/molecule/common/requirements/plus_requirements.yml b/molecule/common/requirements/plus_requirements.yml index 4102e3e8..84a3b57b 100644 --- a/molecule/common/requirements/plus_requirements.yml +++ b/molecule/common/requirements/plus_requirements.yml @@ -1,6 +1,7 @@ --- roles: - name: nginxinc.nginx - version: 0.24.0 + version: 0.24.3 - name: nginxinc.nginx_app_protect - version: 0.9.0 + src: https://github.com/nginxinc/ansible-role-nginx-app-protect + version: main diff --git a/molecule/complete_plus/converge.yml b/molecule/complete_plus/converge.yml index 72d46b99..0723fece 100644 --- a/molecule/complete_plus/converge.yml +++ b/molecule/complete_plus/converge.yml @@ -22,9 +22,9 @@ deployment_location: /etc/nginx/nginx.conf config: main: - load_module: - - modules/ngx_http_app_protect_module.so - - modules/ngx_http_app_protect_dos_module.so + # load_module: + # - modules/ngx_http_app_protect_module.so + # - modules/ngx_http_app_protect_dos_module.so user: nginx worker_processes: auto error_log: @@ -151,27 +151,27 @@ core: default_type: application/octet-stream keepalive_timeout: 65s - app_protect_waf: - physical_memory_util_thresholds: - high: 100 - low: 100 - cpu_thresholds: - high: 100 - low: 100 - failure_mode_action: pass - cookie_seed: testseed - compressed_requests_action: drop - app_protect_dos: - liveliness: - enable: true - uri: /app_protect_dos_liveliness - port: 8090 - readiness: - enable: true - uri: /app_protect_dos_readiness - port: 8090 - arb_fqdn: 192.168.1.10 - accelerated_mitigation: false + # app_protect_waf: + # physical_memory_util_thresholds: + # high: 100 + # low: 100 + # cpu_thresholds: + # high: 100 + # low: 100 + # failure_mode_action: pass + # cookie_seed: testseed + # compressed_requests_action: drop + # app_protect_dos: + # liveliness: + # enable: true + # uri: /app_protect_dos_liveliness + # port: 8090 + # readiness: + # enable: true + # uri: /app_protect_dos_readiness + # port: 8090 + # arb_fqdn: 192.168.1.10 + # accelerated_mitigation: false grpc: bind: address: $remote_addr @@ -351,26 +351,26 @@ default_server: true server_name: localhost client_max_body_size: 512k - app_protect_waf: - enable: true - policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json - security_log_enable: true - security_log: - - path: /etc/app_protect/conf/log_default.json - dest: syslog:server=10.1.1.1:514 - - path: /etc/app_protect/conf/log_default.json - dest: syslog:server=10.1.1.2:514 - app_protect_dos: - enable: true - policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json - security_log_enable: true - security_log: - path: /etc/app_protect_dos/log-default.json - dest: syslog:server=10.1.1.1:514 - monitor: - uri: http://10.1.1.1:5000/monitor - protocol: http2 - timeout: 10 + # app_protect_waf: + # enable: true + # policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json + # security_log_enable: true + # security_log: + # - path: /etc/app_protect/conf/log_default.json + # dest: syslog:server=10.1.1.1:514 + # - path: /etc/app_protect/conf/log_default.json + # dest: syslog:server=10.1.1.2:514 + # app_protect_dos: + # enable: true + # policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json + # security_log_enable: true + # security_log: + # path: /etc/app_protect_dos/log-default.json + # dest: syslog:server=10.1.1.1:514 + # monitor: + # uri: http://10.1.1.1:5000/monitor + # protocol: http2 + # timeout: 10 auth_jwt: enable: realm: realm @@ -390,24 +390,24 @@ format: main locations: - location: / - app_protect_waf: - enable: true - policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json - security_log_enable: true - security_log: - - path: /etc/app_protect/conf/log_default.json - dest: syslog:server=10.1.1.1:514 - - path: /etc/app_protect/conf/log_default.json - dest: syslog:server=10.1.1.2:514 - app_protect_dos: - enable: true - policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json - security_log_enable: true - security_log: - path: /etc/app_protect_dos/log-default.json - dest: syslog:server=10.1.1.1:514 - monitor: http://10.1.1.1:5000/monitor - api: true + # app_protect_waf: + # enable: true + # policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json + # security_log_enable: true + # security_log: + # - path: /etc/app_protect/conf/log_default.json + # dest: syslog:server=10.1.1.1:514 + # - path: /etc/app_protect/conf/log_default.json + # dest: syslog:server=10.1.1.2:514 + # app_protect_dos: + # enable: true + # policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json + # security_log_enable: true + # security_log: + # path: /etc/app_protect_dos/log-default.json + # dest: syslog:server=10.1.1.1:514 + # monitor: http://10.1.1.1:5000/monitor + # api: true auth_jwt: enable: false leeway: 0s diff --git a/molecule/complete_plus/molecule.yml b/molecule/complete_plus/molecule.yml index 0b6c7d58..575ac405 100644 --- a/molecule/complete_plus/molecule.yml +++ b/molecule/complete_plus/molecule.yml @@ -9,18 +9,18 @@ lint: | set -e ansible-lint --force-color platforms: - - name: centos-7 - image: centos:7 - platform: amd64 + - name: rhel-8 + image: redhat/ubi9:9.4 + platform: x86_64 dockerfile: ../common/Dockerfile.j2 privileged: true cgroupns_mode: host volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw command: /usr/sbin/init - - name: ubuntu-bionic - image: ubuntu:bionic - platform: amd64 + - name: ubuntu-jammy + image: ubuntu:jammy + platform: x86_64 dockerfile: ../common/Dockerfile.j2 privileged: true cgroupns_mode: host diff --git a/molecule/complete_plus/prepare.yml b/molecule/complete_plus/prepare.yml index 2c5347b5..db2c6fc4 100644 --- a/molecule/complete_plus/prepare.yml +++ b/molecule/complete_plus/prepare.yml @@ -30,13 +30,13 @@ key: ../common/files/license/nginx-repo.key nginx_remove_license: false - - name: Install NGINX App Protect WAF - ansible.builtin.include_role: - name: nginxinc.nginx_app_protect - vars: - nginx_app_protect_waf_enable: true - nginx_app_protect_dos_enable: true - nginx_app_protect_setup_license: false - nginx_app_protect_remove_license: false - nginx_app_protect_install_signatures: false - nginx_app_protect_install_threat_campaigns: false + # - name: Install NGINX App Protect WAF + # ansible.builtin.include_role: + # name: nginxinc.nginx_app_protect + # vars: + # nginx_app_protect_waf_enable: true + # nginx_app_protect_dos_enable: true + # nginx_app_protect_setup_license: false + # nginx_app_protect_remove_license: false + # nginx_app_protect_install_signatures: false + # nginx_app_protect_install_threat_campaigns: false diff --git a/molecule/complete_plus/verify.yml b/molecule/complete_plus/verify.yml index 0a7834f9..97fab665 100644 --- a/molecule/complete_plus/verify.yml +++ b/molecule/complete_plus/verify.yml @@ -19,28 +19,28 @@ register: service failed_when: (service is changed) or (service is failed) - - name: Functional tests - when: ansible_facts['os_family'] != 'Alpine' - block: - - name: Check that a page returns a status 200 and fail if the words Hello World are not in the page contents - ansible.builtin.uri: - url: http://localhost - return_content: true - register: this - failed_when: "'Hello World' not in this['content']" + # - name: Functional tests + # when: ansible_facts['os_family'] != 'Alpine' + # block: + # - name: Check that a page returns a status 200 and fail if the words Hello World are not in the page contents + # ansible.builtin.uri: + # url: http://localhost + # return_content: true + # register: this + # failed_when: "'Hello World' not in this['content']" - - name: Check that a page returns a status 200 and fail if the words Request Rejected are not in the page contents - ansible.builtin.uri: - url: http://localhost/?v=