Allow easy syncing of F5 WAF images for e2e tests

Author: pdabelf5

.github/scripts/pull-nap-images.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+VERSION=$1
+DRY_RUN=${2:-false}
+NGINX_REPO=private-registry.nginx.com/nap
+DEV_REPO=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap
+
+docker pull "${NGINX_REPO}"/waf-config-mgr:"${VERSION}"
+docker pull "${NGINX_REPO}"/waf-enforcer:"${VERSION}"
+docker pull "${NGINX_REPO}"/waf-compiler:"${VERSION}"
+
+docker tag "${NGINX_REPO}"/waf-config-mgr:"${VERSION}" "${DEV_REPO}"/waf-config-mgr:"${VERSION}"
+docker tag "${NGINX_REPO}"/waf-enforcer:"${VERSION}" "${DEV_REPO}"/waf-enforcer:"${VERSION}"
+docker tag "${NGINX_REPO}"/waf-compiler:"${VERSION}" "${DEV_REPO}"/waf-compiler:"${VERSION}"
+
+if [ "${DRY_RUN}" = true ]; then
+    echo "Dry run enabled, not pushing images"
+    exit 0
+fi
+docker push "${DEV_REPO}"/waf-config-mgr:"${VERSION}"
+docker push "${DEV_REPO}"/waf-enforcer:"${VERSION}"
+docker push "${DEV_REPO}"/waf-compiler:"${VERSION}"

.github/workflows/pull-nap-images.yml

@@ -0,0 +1,89 @@
+name: Pull NAP Images
+run-name: ${{ inputs.dry_run && '[DRY RUN] ' || '' }}pull-nap-images - ${{ github.ref_name }} - ${{ inputs.version }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to pull"
+        required: true
+        default: "latest"
+      dry_run:
+        description: "Don't push images"
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.ref_name }}-nap-images
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  sync-nap-images:
+    name: Pull NAP Images
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$GCR_WORKLOAD_ID"
+          echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
+          GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$GCR_SERVICE_ACCOUNT"
+          echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
+
+      - name: Authenticate to Google Cloud
+        id: gcr-auth
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
+          service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.gcr-auth.outputs.access_token }}
+
+      - name: Get Id Token
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        id: idtoken
+        with:
+          script: |
+            let id_token = await core.getIDToken()
+            core.setOutput('id_token', id_token)
+
+      - name: Login to NGINX Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: docker-mgmt.nginx.com
+          username: ${{ steps.idtoken.outputs.id_token }}
+          password: ${{ github.actor }}
+
+      - name: Output Variables
+        id: vars
+        run: |
+          ./.github/scripts/pull-nap-images.sh "${{ inputs.version }}" "${{ inputs.dry_run }}"