packer: skip retrieving of creds if their ARN is not specified

So we can have workers without public cloud creds. Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-03-11 10:35:46 +01:00 · 2022-03-11 10:35:46 +01:00 · 2dd5ae7bca
commit 2dd5ae7bca
parent 4c0ba50ea1
3 changed files with 31 additions and 14 deletions
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh
@ -4,25 +4,32 @@ source /tmp/cloud_init_vars

 echo "Deploy AWS credentials."

-# Deploy the AWS credentials file if the secret ARN was set.
-if [[ -n "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
-  /usr/local/bin/aws secretsmanager get-secret-value \
-    --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
-    --secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json
-  ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json)
-  SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json)
-  rm /tmp/aws_credentials.json

-  sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF
+echo "Write the bucket."
+# Always create the header and write the bucket, it's slightly ugly but it will work
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
+[aws]
+bucket = "${WORKER_CONFIG_AWS_BUCKET:-}"
+EOF
+
+if [[ -z "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  echo "AWS_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping."
+  exit 0
+fi
+
+/usr/local/bin/aws secretsmanager get-secret-value \
+--endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
+--secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json
+ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json)
+SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json)
+rm /tmp/aws_credentials.json
+
+sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF
 [default]
 aws_access_key_id = "$ACCESS_KEY_ID"
 aws_secret_access_key = "$SECRET_ACCESS_KEY"
 EOF

-  sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
-[aws]
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
 credentials = "${WORKER_CONFIG_AWS_CREDENTIALS:-}"
-bucket = "${WORKER_CONFIG_AWS_BUCKET:-}"
 EOF
-
-fi
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh
@ -4,6 +4,11 @@ source /tmp/cloud_init_vars

 echo "Deploy Azure credentials."

+if [[ -z "$AZURE_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  echo "AZURE_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping."
+  exit 0
+fi
+
 # Deploy the Azure credentials file.
 /usr/local/bin/aws secretsmanager get-secret-value \
  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh
@ -4,6 +4,11 @@ source /tmp/cloud_init_vars

 echo "Deploy GCP credentials."

+if [[ -z "$GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  echo "GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping."
+  exit 0
+fi
+
 # Deploy the GCP Service Account credentials file.
 /usr/local/bin/aws secretsmanager get-secret-value \
  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \