diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh new file mode 100755 index 000000000..1aa1622b3 --- /dev/null +++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -eo pipefail +source /tmp/cloud_init_vars + +echo "Deploy AWS credentials." + +# Deploy the AWS credentials file if the secret ARN was set. +if [[ -n "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then + /usr/local/bin/aws secretsmanager get-secret-value \ + --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \ + --secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json + ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json) + SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json) + rm /tmp/aws_credentials.json + + sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF +[default] +aws_access_key_id = "$ACCESS_KEY_ID" +aws_secret_access_key = "$SECRET_ACCESS_KEY" +EOF + +fi diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh new file mode 100755 index 000000000..2da8606d2 --- /dev/null +++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -eo pipefail +source /tmp/cloud_init_vars + +echo "Deploy Azure credentials." + +# Deploy the Azure credentials file. +/usr/local/bin/aws secretsmanager get-secret-value \ + --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \ + --secret-id "${AZURE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/azure_credentials.json +CLIENT_ID=$(jq -r ".client_id" /tmp/azure_credentials.json) +CLIENT_SECRET=$(jq -r ".client_secret" /tmp/azure_credentials.json) +rm /tmp/azure_credentials.json + +sudo tee /etc/osbuild-worker/azure_credentials.toml > /dev/null << EOF +client_id = "$CLIENT_ID" +client_secret = "$CLIENT_SECRET" +EOF diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh new file mode 100755 index 000000000..16cfd8177 --- /dev/null +++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh @@ -0,0 +1,10 @@ +#!/bin/bash +set -eo pipefail +source /tmp/cloud_init_vars + +echo "Deploy GCP credentials." + +# Deploy the GCP Service Account credentials file. +/usr/local/bin/aws secretsmanager get-secret-value \ + --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \ + --secret-id "${GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /etc/osbuild-worker/gcp_credentials.json diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_external_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_external_creds.sh deleted file mode 100755 index 15370c355..000000000 --- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_external_creds.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash -set -eo pipefail -source /tmp/cloud_init_vars - -echo "Deploy cloud credentials for workers." - -# Deploy the GCP Service Account credentials file. -/usr/local/bin/aws secretsmanager get-secret-value \ - --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \ - --secret-id "${GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /etc/osbuild-worker/gcp_credentials.json - -# Deploy the Azure credentials file. -/usr/local/bin/aws secretsmanager get-secret-value \ - --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \ - --secret-id "${AZURE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/azure_credentials.json -CLIENT_ID=$(jq -r ".client_id" /tmp/azure_credentials.json) -CLIENT_SECRET=$(jq -r ".client_secret" /tmp/azure_credentials.json) -rm /tmp/azure_credentials.json - -sudo tee /etc/osbuild-worker/azure_credentials.toml > /dev/null << EOF -client_id = "$CLIENT_ID" -client_secret = "$CLIENT_SECRET" -EOF - -# Deploy the AWS credentials file if the secret ARN was set. -if [[ -n "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then - /usr/local/bin/aws secretsmanager get-secret-value \ - --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \ - --secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json - ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json) - SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json) - rm /tmp/aws_credentials.json - - sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF -[default] -aws_access_key_id = "$ACCESS_KEY_ID" -aws_secret_access_key = "$SECRET_ACCESS_KEY" -EOF - -fi diff --git a/templates/packer/ansible/roles/common/files/worker-initialization.service b/templates/packer/ansible/roles/common/files/worker-initialization.service index ef117d57a..d5f013585 100644 --- a/templates/packer/ansible/roles/common/files/worker-initialization.service +++ b/templates/packer/ansible/roles/common/files/worker-initialization.service @@ -11,7 +11,9 @@ ExecStart=/usr/local/libexec/worker-initialization-scripts/set_hostname.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/vector.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/offline_token.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/subscription_manager.sh -ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_external_creds.sh +ExecStart=/usr/local/libexec/worker-initialization-scripts/get_aws_creds.sh +ExecStart=/usr/local/libexec/worker-initialization-scripts/get_azure_creds.sh +ExecStart=/usr/local/libexec/worker-initialization-scripts/get_gcp_creds.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_service.sh [Install]