particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

osbuild-service-maintenance: Rework GCP credentials mapping

Browse source 
Because of the way the gcp secrets are stored for the workers, and how
the mapping from vault to openshift works (unable to map a multiple key
secret into a single json file), there's a bit of juggling required to
get the gcp credentials in the right format.
This commit is contained in:
sanne 2021-12-21 15:28:59 +01:00 committed by Sanne Raymaekers
parent 204bf9e176
commit 4797ac281a
4 changed files with 127 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

68
cmd/osbuild-service-maintenance/config.go
View file

@ -8,17 +8,29 @@ import (
// Do not write this config to logs or stdout, it contains secrets!
type Config struct {
DryRun string `env:"DRY_RUN"`
MaxConcurrentRequests string `env:"MAX_CONCURRENT_REQUESTS"`
PGHost string `env:"PGHOST"`
PGPort string `env:"PGPORT"`
PGDatabase string `env:"PGDATABASE"`
PGUser string `env:"PGUSER"`
PGPassword string `env:"PGPASSWORD"`
PGSSLMode string `env:"PGSSLMODE"`
GoogleApplicationCreds string `env:"GOOGLE_APPLICATION_CREDENTIALS"`
AWSAccessKeyID string `env:"AWS_ACCESS_KEY_ID"`
AWSSecretAccessKey string `env:"AWS_SECRET_ACCESS_KEY"`
DryRun string `env:"DRY_RUN"`
MaxConcurrentRequests string `env:"MAX_CONCURRENT_REQUESTS"`
PGHost string `env:"PGHOST"`
PGPort string `env:"PGPORT"`
PGDatabase string `env:"PGDATABASE"`
PGUser string `env:"PGUSER"`
PGPassword string `env:"PGPASSWORD"`
PGSSLMode string `env:"PGSSLMODE"`
AWSAccessKeyID string `env:"AWS_ACCESS_KEY_ID"`
AWSSecretAccessKey string `env:"AWS_SECRET_ACCESS_KEY"`
}
type GCPCredentialsConfig struct {
AuthProviderX509CertUrl string `json:"auth_provider_x509_cert_url" env:"GCP_AUTH_PROVIDER_X509_CERT_URL"`
AuthUri string `json:"auth_uril" env:"GCP_AUTH_URI"`
ClientEmail string `json:"client_email" env:"GCP_CLIENT_EMAIL"`
ClientId string `json:"client_id" env:"GCP_CLIENT_ID"`
ClientX509CertUrl string `json:"client_x509_cert_url" env:"GCP_CLIENT_X509_CERT_URL"`
PrivateKey string `json:"private_key" env:"GCP_PRIVATE_KEY"`
PrivateKeyId string `json:"private_key_id" env:"GCP_PRIVATE_KEY_ID"`
ProjectId string `json:"project_id" env:"GCP_PROJECT_ID"`
TokenUri string `json:"token_uri" env:"GCP_TOKEN_URI"`
Type string `json:"type" env:"GCP_TYPE"`
}
// *string means the value is not required
@ -53,3 +65,37 @@ func LoadConfigFromEnv(intf interface{}) error {
}
return nil
}
func (gc *GCPCredentialsConfig) valid() bool {
if gc.AuthProviderX509CertUrl == "" {
return false
}
if gc.AuthUri == "" {
return false
}
if gc.ClientEmail == "" {
return false
}
if gc.ClientId == "" {
return false
}
if gc.ClientX509CertUrl == "" {
return false
}
if gc.PrivateKey == "" {
return false
}
if gc.PrivateKeyId == "" {
return false
}
if gc.ProjectId == "" {
return false
}
if gc.TokenUri == "" {
return false
}
if gc.Type == "" {
return false
}
return true
}

4
cmd/osbuild-service-maintenance/gcp.go
View file

@ -13,8 +13,8 @@ import (
"github.com/osbuild/osbuild-composer/internal/cloud/gcp"
)
func GCPCleanup(maxConcurrentRequests int, dryRun bool, cutoff time.Time) error {
g, err := gcp.New(nil)
func GCPCleanup(creds []byte, maxConcurrentRequests int, dryRun bool, cutoff time.Time) error {
g, err := gcp.New(creds)
if err != nil {
return err
}

21
cmd/osbuild-service-maintenance/main.go
View file

@ -1,6 +1,7 @@
package main
import (
"encoding/json"
"fmt"
"strconv"
"sync"
@ -66,11 +67,25 @@ func main() {
go func() {
defer wg.Done()
logrus.Info("Cleaning up GCP")
if conf.GoogleApplicationCreds == "" {
logrus.Error("GCP credentials not specified")
var gcpConf GCPCredentialsConfig
err := LoadConfigFromEnv(&gcpConf)
if err != nil {
logrus.Error("Unable to load GCP config from environment")
return
}
err = GCPCleanup(maxCReqs, dryRun, cutoff)
if !gcpConf.valid() {
logrus.Error("GCP credentials invalid, fields missing")
return
}
creds, err := json.Marshal(&gcpConf)
if err != nil {
logrus.Errorf("Unable to marshal gcp conf: %v", err)
return
}
err = GCPCleanup(creds, maxCReqs, dryRun, cutoff)
if err != nil {
logrus.Errorf("GCP Cleanup failed: %v", err)
}

50
templates/composer.yml
View file

@ -275,6 +275,56 @@ objects:
key: db.password
- name: PGSSLMODE
value: "${PGSSLMODE}"
- name: GCP_AUTH_PROVIDER_X509_CERT_URL
valueFrom:
secretKeyRef:
name: gcp-service-account
key: auth_provider_x509_cert_url
- name: GCP_AUTH_URI
valueFrom:
secretKeyRef:
name: gcp-service-account
key: auth_uri
- name: GCP_CLIENT_EMAIL
valueFrom:
secretKeyRef:
name: gcp-service-account
key: client_email
- name: GCP_CLIENT_ID
valueFrom:
secretKeyRef:
name: gcp-service-account
key: client_id
- name: GCP_CLIENT_X509_CERT_URL
valueFrom:
secretKeyRef:
name: gcp-service-account
key: client_x509_cert_url
- name: GCP_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: gcp-service-account
key: private_key
- name: GCP_PRIVATE_KEY_ID
valueFrom:
secretKeyRef:
name: gcp-service-account
key: private_key_id
- name: GCP_PROJECT_ID
valueFrom:
secretKeyRef:
name: gcp-service-account
key: project_id
- name: GCP_TOKEN_URI
valueFrom:
secretKeyRef:
name: gcp-service-account
key: token_uri
- name: GCP_TYPE
valueFrom:
secretKeyRef:
name: gcp-service-account
key: type
- name: DRY_RUN
value: "${MAINTENANCE_DRY_RUN}"
- name: MAX_CONCURRENT_REQUESTS