Step 8 - Deploy NAP with a CI/CD toolchainΒΆ
In this module, we will deploy deploy NAP with a CI/CD pipeline. NAP is tied to the app, so when DevOps commits a new app (or a new version), the CI/CD pipeline has to deploy a new NAP component in front. In order to avoid repeating what we did previously, we will use a Signature package update as a trigger.
Note
When a new signature package is available, the CI/CD pipeline will build a new version of the Docker image and run it in front of Arcadia Application
This is the workflow we will run
Check if a new Signature Package is available
Simulate a Commit in GitLab (Goal is to simulate a full automated process checking Signature Package date every day)
This commit triggers a webhook in Gitlab CI
Gitlab CI runs the pipeline
Build a new Docker NAP image with a new tag
date of the signature packageDestroy the previous running NAP container
Run a new NAP container with this new Signature Package
Note
Goal of this module is not to learn how to do it, but understand how I did it.
Check the Gitlab CI file
stages:
- Build_image
- Push_image
- Run_docker
before_script:
- docker info
Build_image:
stage: Build_image
script:
- TAG=`yum info app-protect-attack-signatures | grep Version | cut -d':' -f2`
- echo $TAG
- docker build -t 10.1.20.7:5000/app-protect:`echo $TAG` .
- echo export TAG=`echo $TAG` > $CI_PROJECT_DIR/variables
artifacts:
paths:
- variables
Push_image:
stage: Push_image
script:
- source $CI_PROJECT_DIR/variables
- echo $TAG
- docker push 10.1.20.7:5000/app-protect:`echo $TAG`
Run_docker:
stage: Run_docker
script:
- source $CI_PROJECT_DIR/variables
- echo $TAG
- ansible-playbook -i hosts playbook.yaml --extra-var dockertag=`echo $TAG`
Note
The challenge here was to retrieve the date of the package and tag the image with this date in order to have one image per signature package date. This is useful if you need to roll back to a previous version of the signatures.
Simulate an automated task detecting a new Signature Package has been release by F5
Steps:
RDP to the Jumphost and open
ChromeOpen
Gitlab
If Gitlab is not available (502 error), restart the GitLab Docker container. SSH to the GitLab VM and run
docker restart gitlabIn GitLab, open
NGINX App Protect / signature-updateproject
SSH (or WebSSH) to
CICD server (Gitlab runner, Terraform, Ansible)
Run this command in order to determine the latest Signature Package date:
yum info app-protect-attack-signaturesYou may notice the version date. In my case, when I write this lab
2020.06.30was the most recent version of the signatures package. We will use this date as a Docker tag, but this will be done automatically by the CI/CD pipeline.
Trigger the CI/CD pipeline
Steps :
In GitLab, click on
RepositoryandTagsin the left menuCreate a new tag and give it a name like
Sig-<version date>where ideally<version_date>should be replaced by the package version information found in the result of theyum infostep above. But it does not matter, you can put anything you want in this tag.Click
Create tagAt this moment, the
Gitlab CIpipeline startsIn Gitlab, in the
signature-updaterepository, clickCI / CD>Pipelines
Enter into the pipeline by clicking on the
running or passedbutton. And wait for the pipeline to finish. You can click on every job/stage to check the steps
- Check if the new image created and pushed by the pipeline is available in the Docker Registry.
In
Chromeopen bookmarkDocker Registry UIClick on
App ProtectRepositoryYou can see your new image with the tag
2020.06.30- or any other tag based on the latest package date.
Connect in SSH to the Docker App Protect + Docker repo VM, and check the signature package date running
docker exec -it app-protect more /var/log/nginx/error.log2020/07/06 09:32:05 [notice] 12#12: APP_PROTECT { "event": "configuration_load_success", "software_version": "3.74.0", "attack_signatures_package":{"revision_datetime":"2020-06-30T10:08:35Z","version":"2020.06.30"},"completed_successfully":true,"threat_campaigns_package":{}}
Note
Congratulations, you ran a CI/CD pipeline with a GitLab CI.