Skip to content

Commit

Permalink
Merge branch 'main' into nap
Browse files Browse the repository at this point in the history
  • Loading branch information
alessfg authored Aug 19, 2024
2 parents 419cce8 + 5a8d46a commit bc717ef
Show file tree
Hide file tree
Showing 15 changed files with 130 additions and 10 deletions.
63 changes: 63 additions & 0 deletions .github/workflows/ossf-scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
name: OSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
branch_protection_rule:
push:
branches: [main]
# To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-24.04
permissions:
# Needed if using Code Scanning alerts
security-events: write
# Needed for GitHub OIDC token if publish_results is true
id-token: write
# Uncomment the permissions below if installing on a private repository.
# contents: read
# actions: read
# issues: read # To allow GraphQL ListCommits to work
# pull-requests: read # To allow GraphQL ListCommits to work
# checks: read # To detect SAST tools
steps:
- name: Check out the codebase
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
# (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
# - You want to enable the Branch-Protection check on a *public* repository.
# - You are installing the OSSF Scorecard on a *private* repository.
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}

# Publish the results for public repositories to enable scorecard badges. For more details, see https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless of the value entered here.
publish_results: true

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF format to the repository Actions tab.
- name: Upload artifact
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: Upload SARIF results to code scanning
uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/requirements/requirements_molecule.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
ansible-core==2.16.6
jinja2==3.1.4
ansible-compat==24.7.0
molecule==24.7.0
molecule==24.8.0
molecule-plugins[docker]==23.5.3
docker==7.1.0
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,20 @@

FEATURES:

- Add validation tasks to check the Ansible version, the Jinja2 version, and whether the required Ansible collections for this role are installed.
- Bump the Ansible `community.general` collection to `9.2.0`, `community.crypto` collection to `2.21.1` and `community.docker` collection to `3.11.0`.

BUG FIXES:

- Fix incompatibility when using the `listen` directive and setting both the `quic` and `so_keepalive` parameters.
- Correct cleanup error when `nginx_config_cleanup_paths` is not defined.

TESTS:

- Add Molecule tests covering common NGINX use cases (web server, reverse proxy), enabling the NGINX stub status metrics, and NGINX Plus API and live metrics dashboard.
- Update the platforms used in the various Molecule scenarios.
- Use the local role name (`ansible-role-nginx-config`) instead of the fully qualified role name (`nginxinc.nginx_config`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand.
- Update RHEL UBI images to UBI 9.4.

DOCUMENTATION:

Expand All @@ -27,6 +30,7 @@ CI/CD:
- Update GitHub Actions to Ubuntu 24.04.
- Switch GitHub Actions from using tags to release hashes.
- Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG.
- Implement OSSF Scorecard.

MAINTENANCE:

Expand Down
2 changes: 1 addition & 1 deletion molecule/api_plus/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
2 changes: 1 addition & 1 deletion molecule/cleanup_config/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
2 changes: 1 addition & 1 deletion molecule/complete/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
2 changes: 1 addition & 1 deletion molecule/default/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
2 changes: 1 addition & 1 deletion molecule/push_config/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
2 changes: 1 addition & 1 deletion molecule/reverse_proxy/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
2 changes: 1 addition & 1 deletion molecule/stub_status/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
2 changes: 1 addition & 1 deletion molecule/web_server/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ platforms:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
command: /sbin/init
- name: rhel-9
image: redhat/ubi9:9.3
image: redhat/ubi9:9.4
dockerfile: ../common/Dockerfile.j2
privileged: true
cgroupns_mode: host
Expand Down
3 changes: 2 additions & 1 deletion tasks/config/cleanup-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: "{{ nginx_config_files['results'] | map(attribute='files') | sum(start=[]) | map(attribute='path') | list + nginx_config_cleanup_files | default('') | list }}"
loop: "{{ nginx_config_files['results'] | default('') | map(attribute='files') | sum(start=[]) | map(attribute='path') | list + nginx_config_cleanup_files | default('') | list }}"
notify: (Handler - NGINX Config) Run NGINX
when: nginx_config_cleanup_files is defined or nginx_config_cleanup_paths is defined
4 changes: 4 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
---
- name: Validate Ansible/Jinja2 version and Ansible collections
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate/validate.yml"
tags: nginx_config_validate

- name: Set up SELinux
ansible.builtin.include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
when:
Expand Down
45 changes: 45 additions & 0 deletions tasks/validate/validate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
- name: Verify you are using a supported Ansible version on your Ansible host
ansible.builtin.assert:
that: ansible_version['full'] is version(nginx_config_ansible_version, '>=')
success_msg: Ansible {{ ansible_version['full'] }} is supported.
fail_msg: Ansible {{ ansible_version['full'] }} has reached End of Life (EoL). Please upgrade to a supported Ansible release. Check the README for more details.
delegate_to: localhost
ignore_errors: true # noqa ignore-errors

- name: Extract the version of Jinja2 installed on your Ansible host
ansible.builtin.command: ansible --version
register: jinja2_version
changed_when: false
delegate_to: localhost
become: false

- name: Verify that you are using a supported Jinja2 version on your Ansible host
ansible.builtin.assert:
that: (jinja2_version['stdout'] | regex_search('jinja version = ([\\d.]+)', '\\1') | first) is version(nginx_config_jinja2_version, '>=')
success_msg: Jinja2 {{ jinja2_version['stdout'] | regex_search('jinja version = ([\d.]+)', '\1') | first }} is supported.
fail_msg: Jinja2 {{ jinja2_version['stdout'] | regex_search('jinja version = ([\d.]+)', '\1') | first }} is not supported. Please upgrade to Jinja2 3.1. Check the README for more details.
delegate_to: localhost
become: false

- name: Verify that the 'community.general' and 'ansible.posix' Ansible collections are installed on your Ansible host
when: nginx_config_selinux | bool
delegate_to: localhost
become: false
block:
- name: Extract the list of Ansible collections installed on your Ansible host
ansible.builtin.command: ansible-galaxy collection list
register: collection_list
changed_when: false

- name: Verify that the 'community.general' Ansible collection is installed on your Ansible host
ansible.builtin.assert:
that: collection_list is search('community.general')
success_msg: The 'community.general' Ansible collection is installed.
fail_msg: The 'community.general' Ansible collection is not installed. Please install the 'community.general' Ansible collection. Check the README for more details.

- name: Verify that the 'ansible.posix' Ansible collection is installed on your Ansible host
ansible.builtin.assert:
that: lookup('community.general.collection_version', 'ansible.posix') != 'none'
success_msg: The 'ansible.posix' Ansible collection is installed.
fail_msg: The 'ansible.posix' Ansible collection is not installed. Please install the 'ansible.posix' Ansible collection. Check the README for more details.
3 changes: 3 additions & 0 deletions vars/main.yml
Original file line number Diff line number Diff line change
@@ -1 +1,4 @@
---
# Set the minimum version required for Ansible and Jinja2
nginx_config_ansible_version: 2.16
nginx_config_jinja2_version: 3.1

0 comments on commit bc717ef

Please sign in to comment.