Draft: Remove Azure pipeline task. Support protected files and remove need for rg permissions for service principal #39
Conversation
The Azure Pipeline task currently resides in the GitHub Actions repository, but this structure does not follow GitHub's guidelines for publishing actions. As a result, the autogenerated action documentation provides incorrect usage instructions (e.g., suggesting uses: nginxinc/[email protected]), which fails because the action is located in a subdirectory.
This change enables the use of "az nginx deployment" cli to do configuration updates. This helps limit the permissions needed by the service principal to do config updates. This change also adds support for the protected files feature supported by NGINXaaS. Users can give a new optional input called protected-files that contains a comma separated list of all the files that need to be marked as protected. For more information, visit: https://docs.nginx.com/nginxaas/azure/getting-started/nginx-configuration/nginx-configuration-portal/#add-an-nginx-configuration
kuthiala
changed the title
There was a problem hiding this comment.
@kuthiala - given that these are both substantial changes (splitting up Actions and Azure pipeline, replace ARM templates with Azure CLI), I'd recommend creating separate MRs for these so we can discuss each one on it's merits (unless you feel there is a strong coupling in which case, I'd still prefer them to be separate but maybe sequenced in the right order). Also, when removing support for Azure pipelines, are you considering moving that to a separate repository or just removing it entirely? I'm not sure if we have customers actively using this (can we tell?) but I'd prefer we move this rather than removing it.
| @@ -1,32 +1,200 @@ | |||
| # NGINXaaS for Azure Configuration Automation | |||
| # NGINXaaS for Azure Deployment Action | |||
There was a problem hiding this comment.
This is a move in the right direction to come inline with Github Actions documentation 👍
- Can you please file work to track Azure Pipelines separately? We want to move it to separate repo and follow Azure guidelines around Pipelines tasks.
- I'd also suggest looking into usage for this Pipeline task. Are there any customers using this? If so, removing it completely is not a good idea. You may want to follow deprecation guidelines to point users to where the task is actually hosted from here on.
| @@ -1,69 +1,72 @@ | |||
| #!/bin/bash | |||
| set -euo pipefail | |||
| set -eo pipefail | |||
There was a problem hiding this comment.
was there a reason to drop -u? It's usually good to have it.
| az_cmd=( | ||
| "az" | ||
| "nginx" |
There was a problem hiding this comment.
Do you need /src/nginx-for-azure-configuration-template.json anymore? If not, can we not delete it as part of this commit?
| if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }} | ||
| shell: bash | ||
| - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment" | ||
| run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }} | ||
| run: ${{github.action_path}}/src/deploy-config.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --nginx-config-directory-path=${{ inputs.nginx-config-directory-path }} --nginx-root-config-file=${{ inputs.nginx-root-config-file }} --transformed-nginx-config-directory-path=${{ inputs.transformed-nginx-config-directory-path }} --protected-files=${{ inputs.protected-files }} --debug=${{ inputs.debug }} |
There was a problem hiding this comment.
here's a quick suggestion:
I agree with what you are doing here but:
- This MR is too big in scope as you are already removing the Azure Task.
- And I see that we have only made changes to
deploy-config.shand notdeploy-certificate.sh? 🤔
I'd recommend the following:
- Keep this MR to retiring the Azure Pipeline Task.
- Split up the rest of the work into its own where you are replacing what the Action itself is doing underneath:
- You should also think about expanding the action use-cases in mind.
- This repository currently has configs and certs. Do we want to preserve the flows as they stand with two separate scripts wrapped in a single action or do we want separate actions for managing certs vs configs.
- Do we want to expand this action to create and update deployments?
- You should also think about expanding the action use-cases in mind.
| @@ -40,10 +45,10 @@ runs: | |||
| using: "composite" | |||
| steps: | |||
| - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment" | |||
| run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }} | |||
| run: ${{github.action_path}}/src/deploy-certificate.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --nginx-resource-location=${{ inputs.nginx-deployment-location }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }} | |||
There was a problem hiding this comment.
https://github.com/kuthiala/nginx-for-azure-deploy-action/blob/f9dbec3c93f58bd3634762d4b2de1f2f0193a4d7/src/deploy-certificate.sh The input handling here needs to be fixed. I am okay if you want to preserve both but in that separate MR, I think you can safely consider refactoring configs and certs both as separate commits. Folks may have a preference in splitting that up further as the changeset will be a bit large but 👍
| can be used to overwrite the file paths when the action synchronizes the files to the NGINXaaS for Azure deployment.' | ||
| 'The absolute directory path in the NGINXaaS for Azure deployment where your configuration files will be placed. | ||
| All files found in the nginx-config-directory-path will be copied to this location in the deployment. | ||
| For example, use "/etc/nginx/" to match the standard NGINX directory structure on Azure. |
There was a problem hiding this comment.
For example, use "/etc/nginx/" to match the standard NGINX directory structure on Azure. -> For example, use "/etc/nginx/" to match the standard NGINX directory structure on your deployment. << something along these lines.
| required: false | ||
| default: "" | ||
| nginx-certificates: | ||
| description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server1.crt", "keyVirtualPath": "/etc/ssl/certs/server1.key" }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server2.crt", "keyVirtualPath": "/etc/ssl/certs/server2.key" }] ' | ||
| required: false | ||
| protected-files: |
There was a problem hiding this comment.
From an Actions perspective, this is a new feature in that it was not there earlier on and now we have added support for handling protected files via the action:
- This should be done in a separate MR. You have the changes here which is fine but try splitting up the work so you are not refactoring the action and adding support for new (missing) things at the same time.
- Separately, do we want to offer protected files support on git? Seems risky and something a customer may not want to use since they would not want to store sensitive stuff on git, right?
| local relative_path="$1" | ||
| for protected_file in "${protected_files_list[@]}"; do | ||
| if [ "$relative_path" = "$protected_file" ]; then | ||
| return 0 # File is protected |
There was a problem hiding this comment.
nit: Since you have the doc string on the function, I think it's okay to drop these inline comments. The logic makes it obvious 👍
| "rootFile=$transformed_root_config_file_path" | ||
| "tarball=$encoded_config_tarball" | ||
| "--root-file" "$transformed_root_config_file_path" | ||
| "--files" "$files_json" |
There was a problem hiding this comment.
if a user has large number of static files to host static content via git, you will very likely hit the Azure API limit of 4M using this action. In those cases, a tarball is of huge help. You should consider the tradeoffs of dropping tarball support in favor using the config files directly.
It's common for users to host static content on Github. Example: https://github.com/nginx/documentation/
The Azure Pipeline task currently resides in the GitHub
Actions repository, but this structure does not follow
GitHub's guidelines for publishing actions. As a result,
the autogenerated action documentation provides incorrect
usage instructions (e.g., suggesting uses: nginxinc/[email protected]),
which fails because the action is located in a subdirectory.
This change enables the use of "az nginx deployment" cli
to do configuration updates. This helps limit the permissions
needed by the service principal to do config updates.
This change also adds support for the protected files
feature supported by NGINXaaS. Users can give a new optional
input called protected-files that contains a comma
separated list of all the files that need to be marked
as protected. For more information, visit:
https://docs.nginx.com/nginxaas/azure/getting-started/nginx-configuration/nginx-configuration-portal/#add-an-nginx-configuration