From 80a40e9abc67e5dcb311597cf256307702e4ae89 Mon Sep 17 00:00:00 2001 From: sarna Date: Sun, 8 Jun 2025 23:08:16 -0700 Subject: [PATCH 1/9] Switch over to new deployment This is the new deployment that will now be used to test the Github action. --- .github/workflows/github-action-test-nginxaas-deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github-action-test-nginxaas-deploy.yml b/.github/workflows/github-action-test-nginxaas-deploy.yml index 700eecd..3e60544 100644 --- a/.github/workflows/github-action-test-nginxaas-deploy.yml +++ b/.github/workflows/github-action-test-nginxaas-deploy.yml @@ -9,7 +9,7 @@ env: NGINX_DEPLOYMENT_NAME: github-action-test-dep NGINX_TRANSFORMED_CONFIG_DIR_PATH: /etc/nginx/ NGINX_ROOT_CONFIG_FILE: nginx.conf - TEST_RESOURCE_GROUP_NAME: testenv-0da38993-workload + TEST_RESOURCE_GROUP_NAME: github-action-test NGINX_CERT_NAME: github-action-test-crt NGINX_VAULT_NAME: nlbtest-customer From 9eca92f48768b323edbed06cbbfe7ef3446dc7b3 Mon Sep 17 00:00:00 2001 From: sarna Date: Sun, 8 Jun 2025 23:51:19 -0700 Subject: [PATCH 2/9] Fix up exec permissions on actions scripts --- github-action/src/deploy-certificate.sh | 0 github-action/src/deploy-config.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 github-action/src/deploy-certificate.sh mode change 100644 => 100755 github-action/src/deploy-config.sh diff --git a/github-action/src/deploy-certificate.sh b/github-action/src/deploy-certificate.sh old mode 100644 new mode 100755 diff --git a/github-action/src/deploy-config.sh b/github-action/src/deploy-config.sh old mode 100644 new mode 100755 From afeb35e4ad8ffb2ffb1298eb1f51d4cb6daa287f Mon Sep 17 00:00:00 2001 From: sarna Date: Mon, 9 Jun 2025 22:57:07 -0700 Subject: [PATCH 3/9] Update NGINX confs to refer local upstream We don't have the test infrastructure fully set up to handle some of this yet. For now, we can just proxy pass to an upstream on localhost and update it down the road. --- github-action/test/configs/multi/nginx.conf | 15 ++++++++++++--- github-action/test/configs/single/nginx.conf | 14 +++++++++++--- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/github-action/test/configs/multi/nginx.conf b/github-action/test/configs/multi/nginx.conf index 0366ce8..83378b8 100644 --- a/github-action/test/configs/multi/nginx.conf +++ b/github-action/test/configs/multi/nginx.conf @@ -2,7 +2,7 @@ http { upstream app { zone app 64k; least_conn; - server 10.0.1.4:8000; + server 127.0.0.1:8000; } server { @@ -19,7 +19,7 @@ http { server { listen 443 ssl default_server; server_name example.com; - + ssl_certificate /etc/nginx/ssl/000000/my-cert.crt; ssl_certificate_key /etc/nginx/ssl/000000/my-cert.key; @@ -29,4 +29,13 @@ http { health_check; } } -} \ No newline at end of file + + server { + listen 8000; + + location / { + add_header Github-Run-Id 000000; + return 200 "Hello World"; + } + } +} diff --git a/github-action/test/configs/single/nginx.conf b/github-action/test/configs/single/nginx.conf index af7d309..497fe11 100644 --- a/github-action/test/configs/single/nginx.conf +++ b/github-action/test/configs/single/nginx.conf @@ -2,7 +2,7 @@ http { upstream app { zone app 64k; least_conn; - server 10.0.1.4:8000; + server 127.0.0.1:8000; } server { @@ -21,6 +21,14 @@ http { proxy_pass http://app; health_check; } - } -} \ No newline at end of file + + server { + listen 8000; + + location / { + add_header Github-Run-Id 000000; + return 200 "Hello World"; + } + } +} From 7220ff95056bad6ae32601218137f6f2ef45f674 Mon Sep 17 00:00:00 2001 From: sarna Date: Mon, 9 Jun 2025 23:36:20 -0700 Subject: [PATCH 4/9] Update test to pass traffic to handle new conf Now that we are using localhost as an upstream we need to make sure that the test to pass traffic checks for the correct headers based on the new config. --- .github/workflows/github-action-test-nginxaas-deploy.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/github-action-test-nginxaas-deploy.yml b/.github/workflows/github-action-test-nginxaas-deploy.yml index 3e60544..46b6583 100644 --- a/.github/workflows/github-action-test-nginxaas-deploy.yml +++ b/.github/workflows/github-action-test-nginxaas-deploy.yml @@ -33,7 +33,7 @@ jobs: - name: "Update config - single file" shell: bash run: | - sed -i 's/000000/'"$GITHUB_RUN_NUMBER"'/g' github-action/test/configs/single/nginx.conf + sed -i 's/000000/'"$GITHUB_RUN_ID"'/g' github-action/test/configs/single/nginx.conf cat github-action/test/configs/single/nginx.conf - name: "Sync NGINX configuration to NGINXaaS for Azure - single file" uses: nginxinc/nginx-for-azure-deploy-action@v0.3.1 @@ -47,7 +47,7 @@ jobs: - name: "Validate config update - single file" shell: bash run: | - wget -O - -o /dev/null http://${{ secrets.NGINX_DEPLOYMENT_IP }} | jq '.request.headers."Github-Run-Id" | test( "'"$GITHUB_RUN_NUMBER"'")' + wget -S -q --spider http://${{ secrets.NGINX_DEPLOYMENT_IP }} 2>&1 | grep "Github-Run-Id: $GITHUB_RUN_ID" - name: "Update config - multi file" shell: bash run: | @@ -70,7 +70,7 @@ jobs: - name: "Validate config update" shell: bash run: | - wget -O - -o /dev/null http://${{ secrets.NGINX_DEPLOYMENT_IP }} | jq '.request.headers."Github-Run-Id" | test( "'"$GITHUB_RUN_ID"'")' + wget -S -q --spider http://${{ secrets.NGINX_DEPLOYMENT_IP }} 2>&1 | grep "Github-Run-Id: $GITHUB_RUN_ID" - name: "Validate certificate update" uses: azure/CLI@v1 with: @@ -78,4 +78,4 @@ jobs: echo "-----BEGIN CERTIFICATE-----" > /tmp/$GITHUB_RUN_ID.tmp az keyvault certificate show --vault-name $NGINX_VAULT_NAME -n $NGINX_CERT_NAME | jq -r .cer | cat >> /tmp/$GITHUB_RUN_ID.tmp echo "-----END CERTIFICATE-----" >> /tmp/$GITHUB_RUN_ID.tmp - wget -O - -o /dev/null https://${{ secrets.NGINX_DEPLOYMENT_IP }} --ca-certificate=/tmp/$GITHUB_RUN_ID.tmp | jq '.request.headers."Github-Run-Id" | test( "'"$GITHUB_RUN_ID"'")' + wget -S -q --spider https://${{ secrets.NGINX_DEPLOYMENT_IP }} --ca-certificate=/tmp/$GITHUB_RUN_ID.tmp 2>&1 | grep "Github-Run-Id: $GITHUB_RUN_ID" From 93f8b20b7134df6476dd6618653e056315a7604e Mon Sep 17 00:00:00 2001 From: sarna Date: Mon, 9 Jun 2025 23:57:07 -0700 Subject: [PATCH 5/9] Fixup linting errors --- github-action/src/deploy-certificate.sh | 40 ++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/github-action/src/deploy-certificate.sh b/github-action/src/deploy-certificate.sh index a552b72..57380e6 100755 --- a/github-action/src/deploy-certificate.sh +++ b/github-action/src/deploy-certificate.sh @@ -7,23 +7,23 @@ do case $i in --subscription_id=*) subscription_id="${i#*=}" - shift + shift ;; --resource_group_name=*) resource_group_name="${i#*=}" - shift + shift ;; --nginx_deployment_name=*) nginx_deployment_name="${i#*=}" - shift + shift ;; --nginx_resource_location=*) nginx_resource_location="${i#*=}" - shift + shift ;; --certificates=*) certificates="${i#*=}" - shift + shift ;; *) echo "Not matched option '${i#*=}' passed in." @@ -35,27 +35,27 @@ done if [[ ! -v subscription_id ]]; then echo "Please set 'subscription-id' ..." - exit 1 + exit 1 fi if [[ ! -v resource_group_name ]]; then echo "Please set 'resource-group-name' ..." - exit 1 + exit 1 fi if [[ ! -v nginx_deployment_name ]]; then echo "Please set 'nginx-deployment-name' ..." - exit 1 + exit 1 fi if [[ ! -v nginx_resource_location ]]; then echo "Please set 'nginx-resource-location' ..." - exit 1 + exit 1 fi if [[ ! -v certificates ]]; then echo "Please set 'nginx-certificates' ..." - exit 1 + exit 1 fi arm_template_file="nginx-for-azure-certificate-template.json" @@ -69,13 +69,13 @@ echo "" az account set -s "$subscription_id" --verbose -count=$(echo $certificates | jq '. | length') +count=$(echo "$certificates" | jq '. | length') for (( i=0; i Date: Tue, 10 Jun 2025 08:52:18 -0700 Subject: [PATCH 6/9] Update to v2 of Azure actions These are newer and recommended for use, especially for OIDC. --- .github/workflows/github-action-test-nginxaas-deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/github-action-test-nginxaas-deploy.yml b/.github/workflows/github-action-test-nginxaas-deploy.yml index 46b6583..8a3ea7d 100644 --- a/.github/workflows/github-action-test-nginxaas-deploy.yml +++ b/.github/workflows/github-action-test-nginxaas-deploy.yml @@ -24,7 +24,7 @@ jobs: - name: "Checkout repository" uses: actions/checkout@v2 - name: "AZ CLI Login" - uses: azure/login@v1 + uses: azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -72,7 +72,7 @@ jobs: run: | wget -S -q --spider http://${{ secrets.NGINX_DEPLOYMENT_IP }} 2>&1 | grep "Github-Run-Id: $GITHUB_RUN_ID" - name: "Validate certificate update" - uses: azure/CLI@v1 + uses: azure/cli@v2 with: inlineScript: | echo "-----BEGIN CERTIFICATE-----" > /tmp/$GITHUB_RUN_ID.tmp From 9c1a931a869db798854c256783e674e7512949eb Mon Sep 17 00:00:00 2001 From: sarna Date: Tue, 10 Jun 2025 12:46:40 -0700 Subject: [PATCH 7/9] Use curl instead of wget for passing traffic Azure CLI does not support wget from within the container for its action so swapping the invocations entirely with curl instead. --- .github/workflows/github-action-test-nginxaas-deploy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/github-action-test-nginxaas-deploy.yml b/.github/workflows/github-action-test-nginxaas-deploy.yml index 8a3ea7d..7f1a045 100644 --- a/.github/workflows/github-action-test-nginxaas-deploy.yml +++ b/.github/workflows/github-action-test-nginxaas-deploy.yml @@ -47,7 +47,7 @@ jobs: - name: "Validate config update - single file" shell: bash run: | - wget -S -q --spider http://${{ secrets.NGINX_DEPLOYMENT_IP }} 2>&1 | grep "Github-Run-Id: $GITHUB_RUN_ID" + curl -s -o /dev/null -D - http://${{ secrets.NGINX_DEPLOYMENT_IP }} | grep "Github-Run-Id: $GITHUB_RUN_ID" - name: "Update config - multi file" shell: bash run: | @@ -70,7 +70,7 @@ jobs: - name: "Validate config update" shell: bash run: | - wget -S -q --spider http://${{ secrets.NGINX_DEPLOYMENT_IP }} 2>&1 | grep "Github-Run-Id: $GITHUB_RUN_ID" + curl -s -o /dev/null -D - http://${{ secrets.NGINX_DEPLOYMENT_IP }} | grep "Github-Run-Id: $GITHUB_RUN_ID" - name: "Validate certificate update" uses: azure/cli@v2 with: @@ -78,4 +78,4 @@ jobs: echo "-----BEGIN CERTIFICATE-----" > /tmp/$GITHUB_RUN_ID.tmp az keyvault certificate show --vault-name $NGINX_VAULT_NAME -n $NGINX_CERT_NAME | jq -r .cer | cat >> /tmp/$GITHUB_RUN_ID.tmp echo "-----END CERTIFICATE-----" >> /tmp/$GITHUB_RUN_ID.tmp - wget -S -q --spider https://${{ secrets.NGINX_DEPLOYMENT_IP }} --ca-certificate=/tmp/$GITHUB_RUN_ID.tmp 2>&1 | grep "Github-Run-Id: $GITHUB_RUN_ID" + curl -s -o /dev/null -D - https://${{ secrets.NGINX_DEPLOYMENT_IP }} --cacert /tmp/$GITHUB_RUN_ID.tmp | grep "Github-Run-Id: $GITHUB_RUN_ID" From 835b0f9cd6428cbd80e492e0688518b0ff22d197 Mon Sep 17 00:00:00 2001 From: sarna Date: Tue, 10 Jun 2025 13:22:27 -0700 Subject: [PATCH 8/9] Add debug flag to action This flag, turned off by default, can be enabled by the customer to debug their Azure CLI invocations. --- github-action/action.yml | 12 ++++-- github-action/src/deploy-certificate.sh | 27 ++++++++++++- github-action/src/deploy-config.sh | 53 ++++++++++++++++++------- 3 files changed, 73 insertions(+), 19 deletions(-) diff --git a/github-action/action.yml b/github-action/action.yml index 50fa38b..ff13017 100644 --- a/github-action/action.yml +++ b/github-action/action.yml @@ -23,22 +23,26 @@ inputs: default: "nginx.conf" transformed-nginx-config-directory-path: description: > - 'The transformed absolute path of the NGINX configuration directory in NGINXaaS for Azure deployment, example: "/etc/nginx/". - If the "include" directive in the NGINX configuration files uses absolute paths, the path transformation + 'The transformed absolute path of the NGINX configuration directory in NGINXaaS for Azure deployment, example: "/etc/nginx/". + If the "include" directive in the NGINX configuration files uses absolute paths, the path transformation can be used to overwrite the file paths when the action synchronizes the files to the NGINXaaS for Azure deployment.' required: false default: "" nginx-certificates: description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server1.crt", "keyVirtualPath": "/etc/ssl/certs/server1.key" }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server2.crt", "keyVirtualPath": "/etc/ssl/certs/server2.key" }] ' required: false + debug: + description: "Enable/Disable debug output." + required: false + default: "false" runs: using: "composite" steps: - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment" - run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }} --certificates=${{ toJSON(inputs.nginx-certificates) }} + run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }} if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }} shell: bash - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment" - run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} + run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }} if: ${{ inputs.nginx-config-directory-path != '' }} shell: bash diff --git a/github-action/src/deploy-certificate.sh b/github-action/src/deploy-certificate.sh index 57380e6..3402431 100755 --- a/github-action/src/deploy-certificate.sh +++ b/github-action/src/deploy-certificate.sh @@ -25,6 +25,10 @@ case $i in certificates="${i#*=}" shift ;; + --debug=*) + debug="${i#*=}" + shift + ;; *) echo "Not matched option '${i#*=}' passed in." exit 1 @@ -120,8 +124,29 @@ do if [ $do_nginx_arm_deployment -eq 1 ] then + az_cmd=( + "az" + "deployment" + "group" + "create" + "--name" "$template_deployment_name" + "--resource-group" "$resource_group_name" + "--template-file" "$template_file" + "--parameters" + "name=$nginx_cert_name" + "location=$nginx_resource_location" + "nginxDeploymentName=$nginx_deployment_name" + "certificateVirtualPath=$nginx_cert_file" + "keyVirtualPath=$nginx_key_file" + "keyVaultSecretID=$keyvault_secret" + "--verbose" + ) + if [[ "$debug" == true ]]; then + az_cmd+=("--debug") + fi + echo "${az_cmd[@]}" set +e - az deployment group create --name "$template_deployment_name" --resource-group "$resource_group_name" --template-file "$template_file" --parameters name="$nginx_cert_name" location="$nginx_resource_location" nginxDeploymentName="$nginx_deployment_name" certificateVirtualPath="$nginx_cert_file" keyVirtualPath="$nginx_key_file" keyVaultSecretID="$keyvault_secret" --verbose + "${az_cmd[@]}" set -e else echo "Skipping JSON object $i cert deployment with error:$err_msg" diff --git a/github-action/src/deploy-config.sh b/github-action/src/deploy-config.sh index c147182..3f4fa4e 100755 --- a/github-action/src/deploy-config.sh +++ b/github-action/src/deploy-config.sh @@ -8,27 +8,31 @@ do case $i in --subscription_id=*) subscription_id="${i#*=}" - shift + shift ;; --resource_group_name=*) resource_group_name="${i#*=}" - shift + shift ;; --nginx_deployment_name=*) nginx_deployment_name="${i#*=}" - shift + shift ;; --config_dir_path=*) config_dir_path="${i#*=}" - shift + shift ;; --root_config_file=*) root_config_file="${i#*=}" - shift + shift ;; --transformed_config_dir_path=*) transformed_config_dir_path="${i#*=}" - shift + shift + ;; + --debug=*) + debug="${i#*=}" + shift ;; *) echo "Not matched option '${i#*=}' passed in." @@ -40,27 +44,27 @@ done if [[ ! -v subscription_id ]]; then echo "Please set 'subscription-id' ..." - exit 1 + exit 1 fi if [[ ! -v resource_group_name ]]; then echo "Please set 'resource-group-name' ..." - exit 1 + exit 1 fi if [[ ! -v nginx_deployment_name ]]; then echo "Please set 'nginx-deployment-name' ..." - exit 1 + exit 1 fi if [[ ! -v config_dir_path ]]; then echo "Please set 'nginx-config-directory-path' ..." - exit 1 + exit 1 fi if [[ ! -v root_config_file ]]; then echo "Please set 'nginx-root-config-file' ..." - exit 1 + exit 1 fi # Validation and preprocessing @@ -78,7 +82,7 @@ fi if [[ -d "$config_dir_path" ]] then echo "The NGINX configuration directory '$config_dir_path' was found." -else +else echo "The NGINX configuration directory '$config_dir_path' does not exist." exit 1 fi @@ -96,7 +100,7 @@ root_config_file_repo_path="$config_dir_path$root_config_file" if [[ -f "$root_config_file_repo_path" ]] then echo "The root NGINX configuration file '$root_config_file_repo_path' was found." -else +else echo "The root NGINX configuration file '$root_config_file_repo_path' does not exist." exit 1 fi @@ -152,4 +156,25 @@ echo "ARM template deployment name: $template_deployment_name" echo "" az account set -s "$subscription_id" --verbose -az deployment group create --name "$template_deployment_name" --resource-group "$resource_group_name" --template-file "$template_file" --parameters nginxDeploymentName="$nginx_deployment_name" rootFile="$transformed_root_config_file_path" tarball="$encoded_config_tarball" --verbose + +az_cmd=( + "az" + "deployment" + "group" + "create" + "--name" "$template_deployment_name" + "--resource-group" "$resource_group_name" + "--template-file" "$template_file" + "--parameters" + "nginxDeploymentName=$nginx_deployment_name" + "rootFile=$transformed_root_config_file_path" + "tarball=$encoded_config_tarball" + "--verbose" +) + +if [[ "$debug" == true ]]; then + az_cmd+=("--debug") +fi + +echo "${az_cmd[@]}" +"${az_cmd[@]}" From fae8551db7085c1cbab1a4a8742482df58a9f16f Mon Sep 17 00:00:00 2001 From: sarna Date: Tue, 10 Jun 2025 15:59:20 -0700 Subject: [PATCH 9/9] Update readme - Update the referenced nginx actions to 0.3.1 as cert actions do not work for 0.3.0. - Add an excerpt around Azure RBAC describing the access that the service principal will need in order for the action to work. --- github-action/README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/github-action/README.md b/github-action/README.md index 54de2bc..82c281b 100644 --- a/github-action/README.md +++ b/github-action/README.md @@ -29,12 +29,12 @@ jobs: uses: actions/checkout@v2 - name: 'Run Azure Login using an Azure service principal with a secret' - uses: azure/login@v1 + uses: azure/login@v2 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action@v0.3.0 + uses: nginxinc/nginx-for-azure-deploy-action@v0.3.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -69,14 +69,14 @@ jobs: uses: actions/checkout@v2 - name: 'Run Azure Login using OIDC' - uses: azure/login@v1 + uses: azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action@v0.3.0 + uses: nginxinc/nginx-for-azure-deploy-action@v0.3.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -86,6 +86,9 @@ jobs: transformed-nginx-config-directory-path: /etc/nginx/ ``` +> **Note:** +The service principal being used for authenticating with Azure should have access to manage the NGINXaaS deployment. For simplicity, this guide assumes that the service principal has `Contributor` role to manage the deployment. Refer [prerequisites](https://docs.nginx.com/nginxaas/azure/getting-started/prerequisites/) for details. + ## Handling NGINX configuration file paths To facilitate the migration of the existing NGINX configuration, NGINXaaS for Azure supports multiple-files configuration with each file uniquely identified by a file path, just like how NGINX configuration files are created and used in a self-hosting machine. An NGINX configuration file can include another file using the [include directive](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/). The file path used in an `include` directive can either be an absolute path or a relative path to the [prefix path](https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions/). @@ -101,7 +104,7 @@ To use this action to sync the configuration files from this example, the direct ```yaml - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action@v0.3.0 + uses: nginxinc/nginx-for-azure-deploy-action@v0.3.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -133,7 +136,7 @@ The action supports an optional input `transformed-nginx-config-directory-path` ```yaml - name: 'Sync the NGINX configuration from the Git repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action@v0.3.0 + uses: nginxinc/nginx-for-azure-deploy-action@v0.3.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -151,11 +154,11 @@ The transformed paths of the two configuration files in the NGINXaaS for Azure d ## Handling NGINX certificates -Since certificates are secrets, it is assumed they are stored in Azure key vault. One can provide multiple certificate entries to the github action as an array of JSON objects with keys: +Since certificates are secrets, it is assumed they are stored in Azure key vault. One can provide multiple certificate entries to the github action as an array of JSON objects with keys: `certificateName`- A unique name for the certificate entry -`keyvaultSecret`- The secret ID for the certificate on Azure key vault +`keyvaultSecret`- The secret ID for the certificate on Azure key vault `certificateVirtualPath`- This path must match one or more ssl_certificate directive file arguments in your Nginx configuration; and must be unique between certificates within the same deployment @@ -165,7 +168,7 @@ See the example below ```yaml - name: "Sync NGINX certificates to NGINXaaS for Azure" - uses: nginxinc/nginx-for-azure-deploy-action@v0.3.0 + uses: nginxinc/nginx-for-azure-deploy-action@v0.3.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -178,7 +181,7 @@ See the example below ```yaml - name: "Sync NGINX configuration- multi file and certificate to NGINXaaS for Azure" - uses: nginxinc/nginx-for-azure-deploy-action@v0.3.0 + uses: nginxinc/nginx-for-azure-deploy-action@v0.3.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -188,4 +191,4 @@ See the example below nginx-root-config-file: nginx.conf transformed-nginx-config-directory-path: /etc/nginx/ nginx-certificates: '[{"certificateName": "$NGINX_CERT_NAME", "keyvaultSecret": "https://$NGINX_VAULT_NAME.vault.azure.net/secrets/$NGINX_CERT_NAME", "certificateVirtualPath": "/etc/nginx/ssl/my-cert.crt", "keyVirtualPath": "/etc/nginx/ssl/my-cert.key" } ]' -``` \ No newline at end of file +```