From 2dd5ae7bca452bd413e5afcce1cf5576d1ad8bdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
Date: Fri, 11 Mar 2022 10:35:46 +0100
Subject: [PATCH] packer: skip retrieving of creds if their ARN is not
 specified
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

So we can have workers without public cloud creds.

Signed-off-by: Ondřej Budai <ondrej@budai.cz>
---
 .../get_aws_creds.sh                          | 35 +++++++++++--------
 .../get_azure_creds.sh                        |  5 +++
 .../get_gcp_creds.sh                          |  5 +++
 3 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh
index 09acbf292..22f0b806a 100755
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_aws_creds.sh
@@ -4,25 +4,32 @@ source /tmp/cloud_init_vars
 
 echo "Deploy AWS credentials."
 
-# Deploy the AWS credentials file if the secret ARN was set.
-if [[ -n "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
-  /usr/local/bin/aws secretsmanager get-secret-value \
-    --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
-    --secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json
-  ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json)
-  SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json)
-  rm /tmp/aws_credentials.json
 
-  sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF
+echo "Write the bucket."
+# Always create the header and write the bucket, it's slightly ugly but it will work
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
+[aws]
+bucket = "${WORKER_CONFIG_AWS_BUCKET:-}"
+EOF
+
+if [[ -z "$AWS_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  echo "AWS_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping."
+  exit 0
+fi
+
+/usr/local/bin/aws secretsmanager get-secret-value \
+--endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
+--secret-id "${AWS_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/aws_credentials.json
+ACCESS_KEY_ID=$(jq -r ".access_key_id" /tmp/aws_credentials.json)
+SECRET_ACCESS_KEY=$(jq -r ".secret_access_key" /tmp/aws_credentials.json)
+rm /tmp/aws_credentials.json
+
+sudo tee /etc/osbuild-worker/aws_credentials.toml > /dev/null << EOF
 [default]
 aws_access_key_id = "$ACCESS_KEY_ID"
 aws_secret_access_key = "$SECRET_ACCESS_KEY"
 EOF
 
-  sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
-[aws]
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
 credentials = "${WORKER_CONFIG_AWS_CREDENTIALS:-}"
-bucket = "${WORKER_CONFIG_AWS_BUCKET:-}"
 EOF
-
-fi
diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh
index c2bfbf750..640f8dabc 100755
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_azure_creds.sh
@@ -4,6 +4,11 @@ source /tmp/cloud_init_vars
 
 echo "Deploy Azure credentials."
 
+if [[ -z "$AZURE_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  echo "AZURE_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping."
+  exit 0
+fi
+
 # Deploy the Azure credentials file.
 /usr/local/bin/aws secretsmanager get-secret-value \
   --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh
index 1ea58ba20..1b8f816a4 100755
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_gcp_creds.sh
@@ -4,6 +4,11 @@ source /tmp/cloud_init_vars
 
 echo "Deploy GCP credentials."
 
+if [[ -z "$GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  echo "GCP_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping."
+  exit 0
+fi
+
 # Deploy the GCP Service Account credentials file.
 /usr/local/bin/aws secretsmanager get-secret-value \
   --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \