packer: split worker_external_creds.sh into one script per cloud

Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-03-11 10:25:08 +01:00 · 2022-03-11 10:25:08 +01:00 · 2813507ac9
commit 2813507ac9
parent 2e7815bf53
5 changed files with 53 additions and 41 deletions
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh
@ -0,0 +1,22 @@
+#!/bin/bash
+set -eo pipefail
+source /tmp/cloud_init_vars
+
+echo "Deploy AWS credentials."
+
+# Deploy the AWS credentials file if the secret ARN was set.
+if [[ -n "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  /usr/local/bin/aws secretsmanager get-secret-value \
+    --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
+    --secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json
+  ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json)
+  SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json)
+  rm /tmp/aws_credentials.json
+
+  sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF
+[default]
+aws_access_key_id = "$ACCESS_KEY_ID"
+aws_secret_access_key = "$SECRET_ACCESS_KEY"
+EOF
+
+fi
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh
@ -0,0 +1,18 @@
+#!/bin/bash
+set -eo pipefail
+source /tmp/cloud_init_vars
+
+echo "Deploy Azure credentials."
+
+# Deploy the Azure credentials file.
+/usr/local/bin/aws secretsmanager get-secret-value \
+  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
+  --secret-id "${AZURE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/azure_credentials.json
+CLIENT_ID=$(jq -r ".client_id" /tmp/azure_credentials.json)
+CLIENT_SECRET=$(jq -r ".client_secret" /tmp/azure_credentials.json)
+rm /tmp/azure_credentials.json
+
+sudo tee /etc/osbuild-worker/azure_credentials.toml > /dev/null << EOF
+client_id =     "$CLIENT_ID"
+client_secret = "$CLIENT_SECRET"
+EOF
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+set -eo pipefail
+source /tmp/cloud_init_vars
+
+echo "Deploy GCP credentials."
+
+# Deploy the GCP Service Account credentials file.
+/usr/local/bin/aws secretsmanager get-secret-value \
+  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
+  --secret-id "${GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /etc/osbuild-worker/gcp_credentials.json
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_external_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_external_creds.sh
@ -1,40 +0,0 @@
-#!/bin/bash
-set -eo pipefail
-source /tmp/cloud_init_vars
-
-echo "Deploy cloud credentials for workers."
-
-# Deploy the GCP Service Account credentials file.
-/usr/local/bin/aws secretsmanager get-secret-value \
-  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
-  --secret-id "${GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /etc/osbuild-worker/gcp_credentials.json
-
-# Deploy the Azure credentials file.
-/usr/local/bin/aws secretsmanager get-secret-value \
-  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
-  --secret-id "${AZURE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/azure_credentials.json
-CLIENT_ID=$(jq -r ".client_id" /tmp/azure_credentials.json)
-CLIENT_SECRET=$(jq -r ".client_secret" /tmp/azure_credentials.json)
-rm /tmp/azure_credentials.json
-
-sudo tee /etc/osbuild-worker/azure_credentials.toml > /dev/null << EOF
-client_id =     "$CLIENT_ID"
-client_secret = "$CLIENT_SECRET"
-EOF
-
-# Deploy the AWS credentials file if the secret ARN was set.
-if [[ -n "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
-  /usr/local/bin/aws secretsmanager get-secret-value \
-    --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
-    --secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json
-  ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json)
-  SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json)
-  rm /tmp/aws_credentials.json
-
-  sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF
-[default]
-aws_access_key_id = "$ACCESS_KEY_ID"
-aws_secret_access_key = "$SECRET_ACCESS_KEY"
-EOF
-
-fi
--- a/templates/packer/ansible/roles/common/files/worker-initialization.service
+++ b/templates/packer/ansible/roles/common/files/worker-initialization.service
@ -11,7 +11,9 @@ ExecStart=/usr/local/libexec/worker-initialization-scripts/set_hostname.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/vector.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/offline_token.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/subscription_manager.sh
-ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_external_creds.sh
+ExecStart=/usr/local/libexec/worker-initialization-scripts/get_aws_creds.sh
+ExecStart=/usr/local/libexec/worker-initialization-scripts/get_azure_creds.sh
+ExecStart=/usr/local/libexec/worker-initialization-scripts/get_gcp_creds.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_service.sh

 [Install]