From d416b4ee35d461191486f080e004746edfe3fcd3 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Thu, 19 Sep 2024 14:26:31 +0200 Subject: [PATCH 1/7] use GITHUB_ENV for OIDC_TOKEN --- .github/workflows/deploy.yaml | 9 +++++---- deployment/site-config.sh | 4 +--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 6bc5659..bc3885f 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -36,9 +36,12 @@ jobs: > ~/.mytoken/config.yaml # add PWD to the PATH echo "$PWD" >> "$GITHUB_PATH" + # add OIDC access token to ENV + OIDC_TOKEN=$(mytoken AT --MT-env MYTOKEN) + echo "::add-mask::$OIDC_TOKEN" + echo "OIDC_TOKEN=$OIDC_TOKEN" >> "$GITHUB_ENV" - name: Configure providers access env: - MYTOKEN: ${{ secrets.MYTOKEN }} run: | cd deployment ./site-config.sh @@ -113,8 +116,6 @@ jobs: - name: Configure with ansible if: github.ref == 'refs/heads/main' && github.event_name == 'push' uses: dawidd6/action-ansible-playbook@v2 - env: - MYTOKEN: ${{ secrets.MYTOKEN }} with: playbook: playbook.yaml directory: ./deployment @@ -124,7 +125,7 @@ jobs: ${{ steps.public_ip.outputs.stdout }} requirements: galaxy-requirements.yaml options: | - --extra-vars ACCESS_TOKEN="$(mytoken AT --MT-env MYTOKEN)" + --extra-vars ACCESS_TOKEN=${{ env.OIDC_TOKEN }} --extra-vars git_ref=${{ github.sha }} --ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" -u egi diff --git a/deployment/site-config.sh b/deployment/site-config.sh index 9348094..e1de70a 100755 --- a/deployment/site-config.sh +++ b/deployment/site-config.sh @@ -27,9 +27,7 @@ dump_config() { EOF } -OIDC_TOKEN=$(mytoken AT --MT-env MYTOKEN) - -echo "::add-mask::$OIDC_TOKEN" +# using OIDC_TOKEN generated in .github/workflows/deploy.yaml rm -f clouds.yaml echo "clouds:" > tmp-clouds.yaml From ac11f6d980a96618eaa03357c98da5ba2c463647 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Thu, 19 Sep 2024 14:32:57 +0200 Subject: [PATCH 2/7] remove empty env: line --- .github/workflows/deploy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index bc3885f..f635e15 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -41,7 +41,6 @@ jobs: echo "::add-mask::$OIDC_TOKEN" echo "OIDC_TOKEN=$OIDC_TOKEN" >> "$GITHUB_ENV" - name: Configure providers access - env: run: | cd deployment ./site-config.sh From b5f6266a753cef665d98a9fa50c8d5c01f795f74 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Thu, 19 Sep 2024 14:35:42 +0200 Subject: [PATCH 3/7] ./mytoken instead of mytoken --- .github/workflows/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index f635e15..7632242 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -37,7 +37,7 @@ jobs: # add PWD to the PATH echo "$PWD" >> "$GITHUB_PATH" # add OIDC access token to ENV - OIDC_TOKEN=$(mytoken AT --MT-env MYTOKEN) + OIDC_TOKEN=$(./mytoken AT --MT-env MYTOKEN) echo "::add-mask::$OIDC_TOKEN" echo "OIDC_TOKEN=$OIDC_TOKEN" >> "$GITHUB_ENV" - name: Configure providers access From aae229bfd9b80d34d514c3a5bff2066effe1fa5e Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Thu, 19 Sep 2024 14:43:12 +0200 Subject: [PATCH 4/7] add MYTOKEN to env --- .github/workflows/deploy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 7632242..5fa3d0d 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -24,6 +24,8 @@ jobs: with: python-version: 3.x - name: Install environment + env: + MYTOKEN: ${{ secrets.MYTOKEN }} run: | curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq chmod +x jq From 686feef98d37a5e79b0d2c21bfae5e4db719f728 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Thu, 19 Sep 2024 14:44:25 +0200 Subject: [PATCH 5/7] solving SHELL_SHFMT issue --- deployment/site-config.sh | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/deployment/site-config.sh b/deployment/site-config.sh index e1de70a..047d4e9 100755 --- a/deployment/site-config.sh +++ b/deployment/site-config.sh @@ -6,18 +6,18 @@ set -e # Reads from config.yaml the clouds to use dump_config() { - # dumps a piece of yaml ready to be included in the - # clouds.yaml Openstack client config - cloud_name="$1" - site="$2" - vo="$3" - oidc_token="$4" - token="$(fedcloud openstack token issue \ - --oidc-access-token "$oidc_token" \ - --site "$site" --vo "$vo" -j \ - | jq -r '.[0].Result.id')" - eval "$(fedcloud site show-project-id --site "$site" --vo "$vo")" - cat << EOF + # dumps a piece of yaml ready to be included in the + # clouds.yaml Openstack client config + cloud_name="$1" + site="$2" + vo="$3" + oidc_token="$4" + token="$(fedcloud openstack token issue \ + --oidc-access-token "$oidc_token" \ + --site "$site" --vo "$vo" -j | + jq -r '.[0].Result.id')" + eval "$(fedcloud site show-project-id --site "$site" --vo "$vo")" + cat < tmp-clouds.yaml +echo "clouds:" >tmp-clouds.yaml dump_config backend \ - "$(yq -r .clouds.backend.site config.yaml)" \ - "$(yq -r .clouds.backend.vo config.yaml)" \ - "$OIDC_TOKEN" >> tmp-clouds.yaml + "$(yq -r .clouds.backend.site config.yaml)" \ + "$(yq -r .clouds.backend.vo config.yaml)" \ + "$OIDC_TOKEN" >>tmp-clouds.yaml dump_config deploy \ - "$(yq -r .clouds.deploy.site config.yaml)" \ - "$(yq -r .clouds.deploy.vo config.yaml)" \ - "$OIDC_TOKEN" >> tmp-clouds.yaml + "$(yq -r .clouds.deploy.site config.yaml)" \ + "$(yq -r .clouds.deploy.vo config.yaml)" \ + "$OIDC_TOKEN" >>tmp-clouds.yaml mv tmp-clouds.yaml clouds.yaml mkdir -p ~/.config/openstack From 6397277b8056d86cce21406d422eb1372c1cd6ea Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Thu, 19 Sep 2024 14:45:53 +0200 Subject: [PATCH 6/7] shellcheck disable=SC2153 --- deployment/site-config.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployment/site-config.sh b/deployment/site-config.sh index 047d4e9..1fbd75b 100755 --- a/deployment/site-config.sh +++ b/deployment/site-config.sh @@ -31,11 +31,14 @@ EOF rm -f clouds.yaml echo "clouds:" >tmp-clouds.yaml + +# shellcheck disable=SC2153 dump_config backend \ "$(yq -r .clouds.backend.site config.yaml)" \ "$(yq -r .clouds.backend.vo config.yaml)" \ "$OIDC_TOKEN" >>tmp-clouds.yaml + dump_config deploy \ "$(yq -r .clouds.deploy.site config.yaml)" \ "$(yq -r .clouds.deploy.vo config.yaml)" \ From fabfbba80496ff165804e65b36f570afdd3bcb90 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Thu, 19 Sep 2024 14:52:57 +0200 Subject: [PATCH 7/7] solving SHELL_SHFMT issue --- deployment/site-config.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/deployment/site-config.sh b/deployment/site-config.sh index 1fbd75b..6548ebc 100755 --- a/deployment/site-config.sh +++ b/deployment/site-config.sh @@ -38,7 +38,6 @@ dump_config backend \ "$(yq -r .clouds.backend.vo config.yaml)" \ "$OIDC_TOKEN" >>tmp-clouds.yaml - dump_config deploy \ "$(yq -r .clouds.deploy.site config.yaml)" \ "$(yq -r .clouds.deploy.vo config.yaml)" \