diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 5409b42..9aa3c81 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -54,17 +54,21 @@ jobs: - uninstall steps: - name: Check out the codebase + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} uses: actions/checkout@v4 - name: Set up Python 3 + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} uses: actions/setup-python@v5 with: python-version: 3.x - name: Install Molecule dependencies + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} run: pip3 install -r .github/workflows/requirements/requirements_molecule.txt - name: Install Ansible core dependencies + if: ${{ env.NGINX_CRT != 0 && env.NGINX_KEY != 0 }} run: ansible-galaxy install -r .github/workflows/requirements/requirements_ansible.yml - name: Run Molecule tests @@ -73,4 +77,3 @@ jobs: env: PY_COLORS: 1 ANSIBLE_FORCE_COLOR: 1 - diff --git a/molecule/advanced/prepare.yml b/molecule/advanced/prepare.yml index 40d4002..ce35bef 100644 --- a/molecule/advanced/prepare.yml +++ b/molecule/advanced/prepare.yml @@ -3,14 +3,14 @@ hosts: localhost gather_facts: false tasks: - - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license certificate file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: "0444" - - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license key file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key diff --git a/molecule/common/prepare.yml b/molecule/common/prepare.yml index 42445dd..4044500 100644 --- a/molecule/common/prepare.yml +++ b/molecule/common/prepare.yml @@ -3,14 +3,14 @@ hosts: localhost gather_facts: false tasks: - - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license certificate file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: "0444" - - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy + - name: Create ephemeral license key file from b64 decoded env var ansible.builtin.copy: content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 1162be2..7a4601f 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,23 +1,23 @@ --- - name: Converge hosts: all - vars: - rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - ansible.builtin.set_fact: - rhel_subscription: true - when: - - lookup('env', 'RHEL_USERNAME') | length > 0 - - lookup('env', 'RHEL_PASSWORD') | length > 0 - - - name: (RHEL) Register system into RHEL subscription manager - community.general.redhat_subscription: - username: "{{ lookup('env', 'RHEL_USERNAME') }}" - password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - ansible_facts['distribution'] == "RedHat" - - rhel_subscription | bool + - ansible_facts['distribution_major_version'] is version('8', '>=') + block: + - name: (RHEL) Pre-emptively fail + ansible.builtin.fail: + msg: "RHEL subscription is required for this role to work on RHEL 8/9" + when: + - lookup('env', 'RHEL_USERNAME') | length == 0 + - lookup('env', 'RHEL_PASSWORD') | length == 0 + + - name: (RHEL) Register system into RHEL subscription manager + community.general.redhat_subscription: + username: "{{ lookup('env', 'RHEL_USERNAME') }}" + password: "{{ lookup('env', 'RHEL_PASSWORD') }}" tasks: - name: Install NGINX App Protect WAF ansible.builtin.include_role: @@ -26,7 +26,7 @@ nginx_app_protect_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key - nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}" + nginx_app_protect_use_rhel_subscription_repos: false nginx_app_protect_remove_license: false nginx_app_protect_waf_install_signatures: true nginx_app_protect_waf_install_threat_campaigns: true diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 50ef8c1..a661ccb 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -39,7 +39,7 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw command: /usr/sbin/init - name: rhel-8 - image: redhat/ubi8:8.7 + image: redhat/ubi8:8.10 platform: x86_64 dockerfile: ../common/Dockerfile.j2 privileged: true @@ -48,7 +48,7 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw command: /usr/sbin/init - name: rhel-9 - image: redhat/ubi9:9.1.0 + image: redhat/ubi9:9.4 env: SMDEV_CONTAINER_OFF: "1" platform: x86_64 diff --git a/molecule/dos/converge.yml b/molecule/dos/converge.yml index 9868680..9d8d719 100644 --- a/molecule/dos/converge.yml +++ b/molecule/dos/converge.yml @@ -1,23 +1,23 @@ --- - name: Converge hosts: all - vars: - rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - ansible.builtin.set_fact: - rhel_subscription: true - when: - - lookup('env', 'RHEL_USERNAME') | length > 0 - - lookup('env', 'RHEL_PASSWORD') | length > 0 - - - name: (RHEL) Register system into RHEL subscription manager - community.general.redhat_subscription: - username: "{{ lookup('env', 'RHEL_USERNAME') }}" - password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - ansible_facts['distribution'] == "RedHat" - - rhel_subscription| bool + - ansible_facts['distribution_major_version'] is version('8', '>=') + block: + - name: (RHEL) Pre-emptively fail + ansible.builtin.fail: + msg: "RHEL subscription is required for this role to work on RHEL 8/9" + when: + - lookup('env', 'RHEL_USERNAME') | length == 0 + - lookup('env', 'RHEL_PASSWORD') | length == 0 + + - name: (RHEL) Register system into RHEL subscription manager + community.general.redhat_subscription: + username: "{{ lookup('env', 'RHEL_USERNAME') }}" + password: "{{ lookup('env', 'RHEL_PASSWORD') }}" tasks: - name: Install NGINX App Protect DoS ansible.builtin.include_role: @@ -25,7 +25,7 @@ vars: nginx_app_protect_waf_enable: false nginx_app_protect_dos_enable: true - nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}" + nginx_app_protect_use_rhel_subscription_repos: false nginx_app_protect_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key diff --git a/molecule/dos/molecule.yml b/molecule/dos/molecule.yml index 3bafc1e..46cde2b 100644 --- a/molecule/dos/molecule.yml +++ b/molecule/dos/molecule.yml @@ -12,7 +12,7 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw command: /sbin/init - name: rhel-8 - image: redhat/ubi8:8.7 + image: redhat/ubi8:8.10 platform: x86_64 dockerfile: ../common/Dockerfile.j2 privileged: true diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index 08815f0..05b117c 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -5,43 +5,43 @@ tasks: - name: Create ephemeral license certificate file from b64 decoded env var ansible.builtin.copy: - content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" # noqa template-instead-of-copy + content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" dest: ../../files/license/nginx-repo.crt force: false mode: "0444" - name: Create ephemeral license key file from b64 decoded env var ansible.builtin.copy: - content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" # noqa template-instead-of-copy + content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" dest: ../../files/license/nginx-repo.key force: false mode: "0444" - name: Install NGINX App Protect WAF and DoS hosts: all - vars: - rhel_subscription: false pre_tasks: - name: (RHEL) Check if there is a valid RHEL subscription - ansible.builtin.set_fact: - rhel_subscription: true - when: - - lookup('env', 'RHEL_USERNAME') | length > 0 - - lookup('env', 'RHEL_PASSWORD') | length > 0 - - - name: (RHEL) Register system into RHEL subscription manager - community.general.redhat_subscription: - username: "{{ lookup('env', 'RHEL_USERNAME') }}" - password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - ansible_facts['distribution'] == "RedHat" - - rhel_subscription| bool + - ansible_facts['distribution_major_version'] is version('8', '>=') + block: + - name: (RHEL) Pre-emptively fail + ansible.builtin.fail: + msg: "RHEL subscription is required for this role to work on RHEL 8/9" + when: + - lookup('env', 'RHEL_USERNAME') | length == 0 + - lookup('env', 'RHEL_PASSWORD') | length == 0 + + - name: (RHEL) Register system into RHEL subscription manager + community.general.redhat_subscription: + username: "{{ lookup('env', 'RHEL_USERNAME') }}" + password: "{{ lookup('env', 'RHEL_PASSWORD') }}" tasks: - name: Install NGINX App Protect WAF ansible.builtin.include_role: name: ansible-role-nginx-app-protect vars: - nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}" + nginx_app_protect_use_rhel_subscription_repos: false nginx_app_protect_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key @@ -49,10 +49,3 @@ nginx_app_protect_waf_install_signatures: true nginx_app_protect_waf_install_threat_campaigns: true nginx_app_protect_dos_enable: true - post_tasks: - - name: (RHEL) Unregister system from RHEL subscription manager - community.general.redhat_subscription: - state: absent - when: - - ansible_facts['distribution'] == "RedHat" - - rhel_subscription | bool diff --git a/tasks/common/validate/validate.yml b/tasks/common/validate/validate.yml index d1e9049..480a592 100644 --- a/tasks/common/validate/validate.yml +++ b/tasks/common/validate/validate.yml @@ -25,13 +25,22 @@ - nginx_app_protect_dos_state != "absent" ignore_errors: true # noqa ignore-errors -- name: Warn if installing NGINX App Protect on RHEL >7 without subscription details - ansible.builtin.fail: - msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true. +- name: Check if you can run NAP when: - ansible_facts['distribution'] == "RedHat" - - not nginx_app_protect_use_rhel_subscription_repos | bool - ignore_errors: true # noqa ignore-errors + # - ansible_facts['distribution_major_version'] is version('7', '>') + - nginx_app_protect_use_rhel_subscription_repos | bool + block: + - name: Check if Red Hat subscription is active + ansible.builtin.command: subscription-manager status + register: rh_subscription_status + changed_when: false + + - name: Fail if installing NGINX App Protect on RHEL >7 without subscription details + ansible.builtin.fail: + msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role. + when: + - "'Current' not in rh_subscription_status['stdout']" - name: Check that 'nginx_app_protect_waf_setup' is an allowed value ansible.builtin.assert: