Skip to content

Commit

Permalink
Enable access via ssh-oidc and cloud.egi.eu (#54)
Browse files Browse the repository at this point in the history 
* enable access via ssh-oidc and cloud.egi.eu

* Replace ssh_oidc_other_vos with ssh_oidc_other_vos_name after grycap/ansible-role-motley-cue#13

* sudo powers for members of the vo.cloud.egi.eu with the auditor role

* update CONTRIBUTING.md with latest version in the template

* fix role name

* linting

* linting

* fix grycap.motley_cue name

* pass access token to Ansible playbook

* use prettier to lint .github/workflows/deploy.yaml

* add PWD to PATH

* linting
  • Loading branch information
@sebastian-luna-valero
sebastian-luna-valero authored Sep 19, 2024
1 parent 07d35ca commit 703bcca
Show file tree
Hide file tree
Showing 5 changed files with 194 additions and 177 deletions.
220 changes: 112 additions & 108 deletions .github/workflows/deploy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,126 +1,130 @@
---
name: 'Deploy'
name: "Deploy"

on:
push:
branches:
- main
pull_request:
paths:
- 'deployment/**'
- "deployment/**"

permissions:
permissions:
pull-requests: write

jobs:
terraform:
name: 'Terraform'
name: "Terraform"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install environment
run: |
curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
chmod +x jq
pip install yq ansible git+https://github.com/tdviet/fedcloudclient.git
curl -L https://github.com/oidc-mytoken/client/releases/download/v0.5.2/mytoken_0.5.2_linux_64-bit.tar.gz \
| tar -xzf -
mkdir ~/.mytoken
curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml \
| sed 's/default_provider:/default_provider: "egi"/g' \
> ~/.mytoken/config.yaml
- name: Configure providers access
env:
MYTOKEN: ${{ secrets.MYTOKEN }}
run: |
PATH="$PWD:$PATH"
cd deployment
./site-config.sh
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.2.9
- name: Terraform Format
id: fmt
run: |
cd deployment
terraform fmt -check
- name: Terraform init
id: init
run: |
cd deployment
terraform init
- name: terraform plan
id: plan
if: github.event_name == 'pull_request'
run: |
cd deployment
terraform plan -no-color -var-file=deploy.tfvars
continue-on-error: true
- name: Update Pull Request
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
- name: Checkout
uses: actions/checkout@v4
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install environment
run: |
curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
chmod +x jq
pip install yq ansible git+https://github.com/tdviet/fedcloudclient.git
curl -L https://github.com/oidc-mytoken/client/releases/download/v0.5.2/mytoken_0.5.2_linux_64-bit.tar.gz \
| tar -xzf -
mkdir ~/.mytoken
curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml \
| sed 's/default_provider:/default_provider: "egi"/g' \
> ~/.mytoken/config.yaml
# add PWD to the PATH
echo "$PWD" >> "$GITHUB_PATH"
- name: Configure providers access
env:
MYTOKEN: ${{ secrets.MYTOKEN }}
run: |
cd deployment
./site-config.sh
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.2.9
- name: Terraform Format
id: fmt
run: |
cd deployment
terraform fmt -check
- name: Terraform init
id: init
run: |
cd deployment
terraform init
- name: terraform plan
id: plan
if: github.event_name == 'pull_request'
run: |
cd deployment
terraform plan -no-color -var-file=deploy.tfvars
continue-on-error: true
- name: Update Pull Request
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`
${process.env.PLAN}
\`\`\`
\`\`\`
${process.env.PLAN}
\`\`\`
</details>
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: |
cd deployment
terraform apply -auto-approve -var-file=deploy.tfvars
- name: Get IP
id: public_ip
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: |
cd deployment
terraform output -raw public_ip
- name: Update IP in DNS
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
env:
NSUPDATE_SECRET: ${{ secrets.NSUPDATE_SECRET }}
run: |
curl -u "horizon.vm.fedcloud.eu:$NSUPDATE_SECRET" \
"https://nsupdate.fedcloud.eu/nic/update?myip=${{ steps.public_ip.outputs.stdout }}"
- name: Configure with ansible
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
uses: dawidd6/action-ansible-playbook@v2
with:
playbook: playbook.yaml
directory: ./deployment
key: ${{ secrets.SSH_KEY }}
inventory: |
[all]
${{ steps.public_ip.outputs.stdout }}
requirements: galaxy-requirements.yaml
options: |
--extra-vars git_ref=${{ github.sha }}
--ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-u egi
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: |
cd deployment
terraform apply -auto-approve -var-file=deploy.tfvars
- name: Get IP
id: public_ip
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: |
cd deployment
terraform output -raw public_ip
- name: Update IP in DNS
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
env:
NSUPDATE_SECRET: ${{ secrets.NSUPDATE_SECRET }}
run: |
curl -u "horizon.vm.fedcloud.eu:$NSUPDATE_SECRET" \
"https://nsupdate.fedcloud.eu/nic/update?myip=${{ steps.public_ip.outputs.stdout }}"
- name: Configure with ansible
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
uses: dawidd6/action-ansible-playbook@v2
env:
MYTOKEN: ${{ secrets.MYTOKEN }}
with:
playbook: playbook.yaml
directory: ./deployment
key: ${{ secrets.SSH_KEY }}
inventory: |
[all]
${{ steps.public_ip.outputs.stdout }}
requirements: galaxy-requirements.yaml
options: |
--extra-vars ACCESS_TOKEN=$(mytoken AT --MT-env MYTOKEN)
--extra-vars git_ref=${{ github.sha }}
--ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-u egi
28 changes: 12 additions & 16 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,16 @@ contribute are also welcome.

## Feedback and Questions

If you wish to discuss anything related to the project, please open an issue or
start a topic on the [EGI Community Forum](https://community.egi.eu). The
maintainers will sometimes move issues off of GitHub to the community forum if
it is thought that longer, more open-ended discussion would be beneficial,
including a wider community scope.
If you wish to discuss anything related to the project, please open a
[GitHub issue](https://github.com/EGI-Federation/fedcloud-dashboard/issues/new).

## Contribution Process

Before proposing a contribution via pull request, ideally there is an open issue
describing the need for your contribution (refer to this issue number when you
submit the pull request). We have a 3 steps process for contributions.
Before proposing a contribution via pull request (PR), ideally there is an open
issue describing the need for your contribution (refer to this issue number when
you submit the pull request). We have a 3 steps process for contributions.

1. Fork the project if you have not, and commit changes to a git branch
1. Fork the project if you have not, and commit changes to a Git branch
1. Create a GitHub Pull Request for your change, following the instructions in
the pull request template.
1. Perform a [Code Review](#code-review-process) with the maintainers on the
Expand All @@ -38,19 +35,19 @@ submit the pull request). We have a 3 steps process for contributions.
### Code Review Process

Code review takes place in GitHub pull requests. See
[this article](https://help.github.com/articles/about-pull-requests/) if you're
not familiar with GitHub Pull Requests.
[this article](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests)
if you're not familiar with GitHub Pull Requests.

Once you open a pull request, maintainers will review your code using the
built-in code review process in Github PRs. The process at this point is as
built-in code review process in GitHub PRs. The process at this point is as
follows:

1. A maintainer will review your code and merge it if no changes are necessary.
Your change will be merged into the repository's `main` branch.
1. If a maintainer has feedback or questions on your changes then they will set
`request changes` in the review and provide an explanation.

## Using git
## Using Git

For collaboration purposes, it is best if you create a GitHub account and fork
the repository to your own account. Once you do this you will be able to push
Expand All @@ -59,7 +56,7 @@ easier to send pull requests.

### Branches and Commits

You should submit your patch as a git branch named after the Github issue, such
You should submit your patch as a Git branch named after the GitHub issue, such
as `#3`\. This is called a _topic branch_ and allows users to associate a branch
of code with the issue.

Expand Down Expand Up @@ -90,7 +87,6 @@ EGI benefits from a strong community of developers and system administrators,
and vice-versa. If you have any questions or if you would like to get involved
in the wider EGI community you can check out:

- [EGI Community Forum](https://community.egi.eu/)
- [EGI website](https://www.egi.eu)
- [EGI site](https://www.egi.eu)

**This file has been modified from the Chef Cookbook Contributing Guide**.
41 changes: 27 additions & 14 deletions deployment/cloud-init.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,32 @@
---
# avoid auto-upgrade kicking off in the first boot
bootcmd:
- [cloud-init-per, once, touch, /var/lib/apt/periodic/update-success-stamp]
- [cloud-init-per, once, touch, /var/lib/apt/periodic/update-success-stamp]

users:
- name: egi
gecos: EGI
primary_group: egi
groups: users
shell: /bin/bash
sudo: ALL=(ALL) NOPASSWD:ALL
ssh_import_id:
- gh:enolfc
- gh:gwarf
- gh:CatalinCondurache
- gh:sebastian-luna-valero
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3rdgKJj5WWIE5sD+Mup8HxgMQGY7cYwjwGGa4TJAkZMrhDon5MTgFko51xNZuU7pRhOdTQwJqu8Bkb+y2nAtFS3vHij4x4GgHU9TuLwhgiWjB3qhAj959vXg2FItHO8JsjM3a5R/VxX/hSXlEy+7iyHpH1zCi/LwhcFLEd7yTv0bV99yNMoLPQYhGjYQ5DqrWBKyu8ddFxfRzxaiHgFTvBPwa52Gwft7S7N90tV7fHCI8p+9nD57q6aWwTRtxbClJyf2vohSlIB0WqqPKTBy+he7QkV8VRq9zJyUMaelTTUy+nBolF4oyAHJViY9GAvfdEsHKW0FaV0SS4ICKjilQOAyK3uG+Hl26CCLvtWUmbx/XGAwfoCIipMqXwbjLwA2J+dXCaKS4uBz0f4eXKsXXoFmh4awEIOxpdVXUFYV231JxcgMGGhSQvaqla5QWZ93RNNS0v7SEhHKAkG6B8mOS8yyAu1mBCS0Y03p6xT/7lI5QI4cTIVD3HZU6dB2s/Fc= enol@Enols-MacBook-Pro.local
- name: egi
gecos: EGI
primary_group: egi
groups: users
shell: /bin/bash
sudo: ALL=(ALL) NOPASSWD:ALL
ssh_import_id:
- gh:enolfc
- gh:gwarf
- gh:CatalinCondurache
- gh:sebastian-luna-valero
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3rdgKJj5WWIE5sD+Mup8HxgMQGY7cYwjwGGa4TJAkZMrhDon5MTgFko51xNZuU7pRhOdTQwJqu8Bkb+y2nAtFS3vHij4x4GgHU9TuLwhgiWjB3qhAj959vXg2FItHO8JsjM3a5R/VxX/hSXlEy+7iyHpH1zCi/LwhcFLEd7yTv0bV99yNMoLPQYhGjYQ5DqrWBKyu8ddFxfRzxaiHgFTvBPwa52Gwft7S7N90tV7fHCI8p+9nD57q6aWwTRtxbClJyf2vohSlIB0WqqPKTBy+he7QkV8VRq9zJyUMaelTTUy+nBolF4oyAHJViY9GAvfdEsHKW0FaV0SS4ICKjilQOAyK3uG+Hl26CCLvtWUmbx/XGAwfoCIipMqXwbjLwA2J+dXCaKS4uBz0f4eXKsXXoFmh4awEIOxpdVXUFYV231JxcgMGGhSQvaqla5QWZ93RNNS0v7SEhHKAkG6B8mOS8yyAu1mBCS0Y03p6xT/7lI5QI4cTIVD3HZU6dB2s/Fc= enol@Enols-MacBook-Pro.local

write_files:
- content: |
# Created by cloud-init according to:
# https://github.com/EGI-Federation/fedcloud-dashboard/blob/main/deployment/cloud-init.yaml
#
# 1. Access is restricted to members of the vo.cloud.egi.eu VO with the auditor role
# urn:mace:egi.eu:group:cloud.egi.eu:role=auditor#aai.egi.eu
#
# 2. Once logged in, they have unrestricted sudo power:
%egi-eu_cloud-egi-eu ALL=(ALL) NOPASSWD:ALL
path: /etc/sudoers.d/motley
permissions: "0644"
2 changes: 2 additions & 0 deletions deployment/galaxy-requirements.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
# docker installation
- src: grycap.docker
# ssh-oidc access
- src: grycap.motley_cue
Loading

0 comments on commit 703bcca

Please sign in to comment.