From 58423c262b54cfc492ecfa30c2e9b32e9801273b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Budai?= Date: Wed, 20 Oct 2021 13:54:21 +0200 Subject: [PATCH] ci: rotate secret names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ondřej Budai --- internal/boot/aws.go | 4 ++-- internal/boot/azuretest/azure.go | 4 ++-- schutzbot/containerbuild.sh | 2 +- schutzbot/scheduled_cloud_cleaner.sh | 2 +- test/README.md | 12 +++++----- test/cases/api.sh | 22 +++++++++---------- test/cases/api_v2.sh | 10 ++++----- test/cases/aws.sh | 8 +++---- test/cases/azure.sh | 4 ++-- test/cases/ostree-ng-og.sh | 6 ++--- test/cases/ostree-ng.sh | 4 ++-- .../regression-old-worker-new-composer.sh | 2 +- tools/provision.sh | 10 ++++----- 13 files changed, 45 insertions(+), 45 deletions(-) diff --git a/internal/boot/aws.go b/internal/boot/aws.go index 976379398..9840d2efb 100644 --- a/internal/boot/aws.go +++ b/internal/boot/aws.go @@ -30,8 +30,8 @@ type awsCredentials struct { // If none of the environment variables is set, it returns nil. // If some but not all environment variables are set, it returns an error. func GetAWSCredentialsFromEnv() (*awsCredentials, error) { - accessKeyId, akExists := os.LookupEnv("AWS_ACCESS_KEY_ID") - secretAccessKey, sakExists := os.LookupEnv("AWS_SECRET_ACCESS_KEY") + accessKeyId, akExists := os.LookupEnv("V2_AWS_ACCESS_KEY_ID") + secretAccessKey, sakExists := os.LookupEnv("V2_AWS_SECRET_ACCESS_KEY") region, regionExists := os.LookupEnv("AWS_REGION") bucket, bucketExists := os.LookupEnv("AWS_BUCKET") diff --git a/internal/boot/azuretest/azure.go b/internal/boot/azuretest/azure.go index 86f2175c3..e384a331f 100644 --- a/internal/boot/azuretest/azure.go +++ b/internal/boot/azuretest/azure.go @@ -52,8 +52,8 @@ func GetAzureCredentialsFromEnv() (*azureCredentials, error) { storageAccessKey, sakExists := os.LookupEnv("AZURE_STORAGE_ACCESS_KEY") containerName, cExists := os.LookupEnv("AZURE_CONTAINER_NAME") subscriptionId, siExists := os.LookupEnv("AZURE_SUBSCRIPTION_ID") - clientId, ciExists := os.LookupEnv("AZURE_CLIENT_ID") - clientSecret, csExists := os.LookupEnv("AZURE_CLIENT_SECRET") + clientId, ciExists := os.LookupEnv("V2_AZURE_CLIENT_ID") + clientSecret, csExists := os.LookupEnv("V2_AZURE_CLIENT_SECRET") tenantId, tiExists := os.LookupEnv("AZURE_TENANT_ID") location, lExists := os.LookupEnv("AZURE_LOCATION") resourceGroup, rgExists := os.LookupEnv("AZURE_RESOURCE_GROUP") diff --git a/schutzbot/containerbuild.sh b/schutzbot/containerbuild.sh index 276acaf11..cc690969b 100755 --- a/schutzbot/containerbuild.sh +++ b/schutzbot/containerbuild.sh @@ -20,5 +20,5 @@ podman \ # Push to reuse later in the pipeline (see regression tests) BRANCH_NAME="${BRANCH_NAME:-${CI_COMMIT_BRANCH}}" podman push \ - --creds "${QUAY_USERNAME}":"${QUAY_PASSWORD}" \ + --creds "${V2_QUAY_USERNAME}":"${V2_QUAY_PASSWORD}" \ "${IMAGE_NAME}:${IMAGE_TAG}" diff --git a/schutzbot/scheduled_cloud_cleaner.sh b/schutzbot/scheduled_cloud_cleaner.sh index c733d9870..16bc20a1c 100755 --- a/schutzbot/scheduled_cloud_cleaner.sh +++ b/schutzbot/scheduled_cloud_cleaner.sh @@ -17,7 +17,7 @@ gpgkey=https://packages.microsoft.com/keys/microsoft.asc" | sudo tee /etc/yum.re az version fi -az login --service-principal --username "${AZURE_CLIENT_ID}" --password "${AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" +az login --service-principal --username "${V2_AZURE_CLIENT_ID}" --password "${V2_AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" # List all resources from AZURE_RESOURCE_GROUP RESOURCE_LIST=$(az resource list -g "$AZURE_RESOURCE_GROUP") diff --git a/test/README.md b/test/README.md index 480d846f0..6a374a3c4 100644 --- a/test/README.md +++ b/test/README.md @@ -169,8 +169,8 @@ it uploads the image to Azure, boots it and tries to ssh into it. - `AZURE_STORAGE_ACCESS_KEY` - `AZURE_CONTAINER_NAME` - `AZURE_SUBSCRIPTION_ID` -- `AZURE_CLIENT_ID` -- `AZURE_CLIENT_SECRET` +- `V2_AZURE_CLIENT_ID` +- `V2_AZURE_CLIENT_SECRET` - `AZURE_TENANT_ID` - `AZURE_LOCATION` - `AZURE_RESOURCE_GROUP` @@ -207,10 +207,10 @@ it uploads the image to Azure, boots it and tries to ssh into it. When it’s created, open it. In the overview, you can see the Application (client) ID and the Directory (tenant) ID. These are your - `AZURE_CLIENT_ID` and `AZURE_TENANT_ID`. + `V2_AZURE_CLIENT_ID` and `AZURE_TENANT_ID`. Now, go to *Manage > Certificates & Secrets* under your new application - and create a new client secret. The is your `AZURE_CLIENT_SECRET`. + and create a new client secret. The is your `V2_AZURE_CLIENT_SECRET`. 5) The last step is to give the new application access to the resource group. This step must be done by Azure administrator (@larskarlitski): Go to @@ -330,8 +330,8 @@ The following environment variables are required - `AWS_REGION` - `AWS_BUCKET` -- `AWS_ACCESS_KEY_ID` -- `AWS_SECRET_ACCESS_KEY` +- `V2_AWS_ACCESS_KEY_ID` +- `V2_AWS_SECRET_ACCESS_KEY` - `AWS_API_TEST_SHARE_ACCOUNT` To execute the AWS integration tests, complete steps from *Cloud API integration testing* diff --git a/test/cases/api.sh b/test/cases/api.sh index b6b9e7cd2..c2b6058c6 100755 --- a/test/cases/api.sh +++ b/test/cases/api.sh @@ -125,7 +125,7 @@ esac # Check that needed variables are set to access AWS. function checkEnvAWS() { - printenv AWS_REGION AWS_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_API_TEST_SHARE_ACCOUNT > /dev/null + printenv AWS_REGION AWS_BUCKET V2_AWS_ACCESS_KEY_ID V2_AWS_SECRET_ACCESS_KEY AWS_API_TEST_SHARE_ACCOUNT > /dev/null } # Check that needed variables are set to access GCP. @@ -135,7 +135,7 @@ function checkEnvGCP() { # Check that needed variables are set to access Azure. function checkEnvAzure() { - printenv AZURE_TENANT_ID AZURE_SUBSCRIPTION_ID AZURE_RESOURCE_GROUP AZURE_LOCATION AZURE_CLIENT_ID AZURE_CLIENT_SECRET > /dev/null + printenv AZURE_TENANT_ID AZURE_SUBSCRIPTION_ID AZURE_RESOURCE_GROUP AZURE_LOCATION V2_AZURE_CLIENT_ID V2_AZURE_CLIENT_SECRET > /dev/null } # Check that needed variables are set to register to RHSM (RHEL only) @@ -288,8 +288,8 @@ function installClientAWS() { sudo ${CONTAINER_RUNTIME} pull ${CONTAINER_IMAGE_CLOUD_TOOLS} AWS_CMD="sudo ${CONTAINER_RUNTIME} run --rm \ - -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ - -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_ACCESS_KEY_ID=${V2_AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${V2_AWS_SECRET_ACCESS_KEY} \ -v ${WORKDIR}:${WORKDIR}:Z \ ${CONTAINER_IMAGE_CLOUD_TOOLS} aws --region $AWS_REGION --output json --color on" else @@ -487,13 +487,13 @@ function createReqFileAWS() { "options": { "region": "${AWS_REGION}", "s3": { - "access_key_id": "${AWS_ACCESS_KEY_ID}", - "secret_access_key": "${AWS_SECRET_ACCESS_KEY}", + "access_key_id": "${V2_AWS_ACCESS_KEY_ID}", + "secret_access_key": "${V2_AWS_SECRET_ACCESS_KEY}", "bucket": "${AWS_BUCKET}" }, "ec2": { - "access_key_id": "${AWS_ACCESS_KEY_ID}", - "secret_access_key": "${AWS_SECRET_ACCESS_KEY}", + "access_key_id": "${V2_AWS_ACCESS_KEY_ID}", + "secret_access_key": "${V2_AWS_SECRET_ACCESS_KEY}", "snapshot_name": "${AWS_SNAPSHOT_NAME}", "share_with_accounts": ["${AWS_API_TEST_SHARE_ACCOUNT}"] } @@ -532,8 +532,8 @@ function createReqFileAWSS3() { "options": { "region": "${AWS_REGION}", "s3": { - "access_key_id": "${AWS_ACCESS_KEY_ID}", - "secret_access_key": "${AWS_SECRET_ACCESS_KEY}", + "access_key_id": "${V2_AWS_ACCESS_KEY_ID}", + "secret_access_key": "${V2_AWS_SECRET_ACCESS_KEY}", "bucket": "${AWS_BUCKET}" } } @@ -1040,7 +1040,7 @@ function verifyInGCP() { # Verify image in Azure function verifyInAzure() { set +x - $AZURE_CMD login --service-principal --username "${AZURE_CLIENT_ID}" --password "${AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" + $AZURE_CMD login --service-principal --username "${V2_AZURE_CLIENT_ID}" --password "${V2_AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" set -x # verify that the image exists diff --git a/test/cases/api_v2.sh b/test/cases/api_v2.sh index 0d6f474cd..812adbf31 100755 --- a/test/cases/api_v2.sh +++ b/test/cases/api_v2.sh @@ -90,8 +90,8 @@ credentials="$AWS_CREDS_FILE" EOF cat < /dev/null + printenv AWS_REGION AWS_BUCKET V2_AWS_ACCESS_KEY_ID V2_AWS_SECRET_ACCESS_KEY AWS_API_TEST_SHARE_ACCOUNT > /dev/null } # Check that needed variables are set to register to RHSM (RHEL only) @@ -218,8 +218,8 @@ function installClientAWS() { sudo ${CONTAINER_RUNTIME} pull ${CONTAINER_IMAGE_CLOUD_TOOLS} AWS_CMD="sudo ${CONTAINER_RUNTIME} run --rm \ - -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ - -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_ACCESS_KEY_ID=${V2_AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${V2_AWS_SECRET_ACCESS_KEY} \ -v ${WORKDIR}:${WORKDIR}:Z \ ${CONTAINER_IMAGE_CLOUD_TOOLS} aws --region $AWS_REGION --output json --color on" else diff --git a/test/cases/aws.sh b/test/cases/aws.sh index b96e65014..3703a2cca 100755 --- a/test/cases/aws.sh +++ b/test/cases/aws.sh @@ -58,8 +58,8 @@ if ! hash aws; then sudo ${CONTAINER_RUNTIME} pull ${CONTAINER_IMAGE_CLOUD_TOOLS} AWS_CMD="sudo ${CONTAINER_RUNTIME} run --rm \ - -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ - -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + -e AWS_ACCESS_KEY_ID=${V2_AWS_ACCESS_KEY_ID} \ + -e AWS_SECRET_ACCESS_KEY=${V2_AWS_SECRET_ACCESS_KEY} \ -v ${TEMPDIR}:${TEMPDIR}:Z \ -v ${SSH_DATA_DIR}:${SSH_DATA_DIR}:Z \ ${CONTAINER_IMAGE_CLOUD_TOOLS} aws --region $AWS_REGION --output json --color on" @@ -129,8 +129,8 @@ tee "$AWS_CONFIG" > /dev/null << EOF provider = "aws" [settings] -accessKeyID = "${AWS_ACCESS_KEY_ID}" -secretAccessKey = "${AWS_SECRET_ACCESS_KEY}" +accessKeyID = "${V2_AWS_ACCESS_KEY_ID}" +secretAccessKey = "${V2_AWS_SECRET_ACCESS_KEY}" bucket = "${AWS_BUCKET}" region = "${AWS_REGION}" key = "${IMAGE_KEY}" diff --git a/test/cases/azure.sh b/test/cases/azure.sh index b009f6e95..421d16680 100755 --- a/test/cases/azure.sh +++ b/test/cases/azure.sh @@ -233,8 +233,8 @@ export TF_VAR_TEST_ID="$TEST_ID" # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/image#argument-reference export TF_VAR_HYPER_V_GEN="${HYPER_V_GEN}" export BLOB_URL="https://$AZURE_STORAGE_ACCOUNT.blob.core.windows.net/$AZURE_CONTAINER_NAME/$IMAGE_KEY.vhd" -export ARM_CLIENT_ID="$AZURE_CLIENT_ID" > /dev/null -export ARM_CLIENT_SECRET="$AZURE_CLIENT_SECRET" > /dev/null +export ARM_CLIENT_ID="$V2_AZURE_CLIENT_ID" > /dev/null +export ARM_CLIENT_SECRET="$V2_AZURE_CLIENT_SECRET" > /dev/null export ARM_SUBSCRIPTION_ID="$AZURE_SUBSCRIPTION_ID" > /dev/null export ARM_TENANT_ID="$AZURE_TENANT_ID" > /dev/null diff --git a/test/cases/ostree-ng-og.sh b/test/cases/ostree-ng-og.sh index 2d8477d5b..e942b8e69 100644 --- a/test/cases/ostree-ng-og.sh +++ b/test/cases/ostree-ng-og.sh @@ -191,7 +191,7 @@ wait_for_ssh_up () { clean_up () { greenprint "🧼 Cleaning up" # Remove tag from quay.io repo - skopeo delete --creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" + skopeo delete --creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" # Clear vm if [[ $(sudo virsh domstate "${IMAGE_KEY}-uefi") == "running" ]]; then @@ -304,9 +304,9 @@ sudo podman rmi -f -a # Deal with stage repo image greenprint "🗜 Pushing image to quay.io" IMAGE_FILENAME="${COMPOSE_ID}-${CONTAINER_FILENAME}" -skopeo copy --dest-creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" +skopeo copy --dest-creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" greenprint "Downloading image from quay.io" -sudo podman login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_PASSWORD}" +sudo podman login quay.io --username "${V2_QUAY_USERNAME}" --password "${V2_QUAY_PASSWORD}" sudo podman pull "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" sudo podman images greenprint "🗜 Running the image" diff --git a/test/cases/ostree-ng.sh b/test/cases/ostree-ng.sh index 63afd62a8..eb2d11570 100755 --- a/test/cases/ostree-ng.sh +++ b/test/cases/ostree-ng.sh @@ -215,7 +215,7 @@ wait_for_ssh_up () { clean_up () { greenprint "🧼 Cleaning up" # Remove tag from quay.io repo - skopeo delete --creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" + skopeo delete --creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" # Clear vm if [[ $(sudo virsh domstate "${IMAGE_KEY}-uefi") == "running" ]]; then @@ -329,7 +329,7 @@ sudo podman rmi -f -a # Deal with stage repo image greenprint "🗜 Pushing image to quay.io" IMAGE_FILENAME="${COMPOSE_ID}-${CONTAINER_FILENAME}" -skopeo copy --dest-creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" +skopeo copy --dest-creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}" # Clear image file sudo rm -f "$IMAGE_FILENAME" diff --git a/test/cases/regression-old-worker-new-composer.sh b/test/cases/regression-old-worker-new-composer.sh index 8d5412f99..a3ccab7d2 100644 --- a/test/cases/regression-old-worker-new-composer.sh +++ b/test/cases/regression-old-worker-new-composer.sh @@ -44,7 +44,7 @@ rpm -q "$WORKER_RPM" WELDR_DIR="$(mktemp -d)" WELDR_SOCK="$WELDR_DIR/api.socket" -sudo podman pull --creds "${QUAY_USERNAME}":"${QUAY_PASSWORD}" \ +sudo podman pull --creds "${V2_QUAY_USERNAME}":"${V2_QUAY_PASSWORD}" \ "quay.io/osbuild/osbuild-composer-ubi-pr:${CI_COMMIT_SHA}" # The host entitlement doesn't get picked up by composer diff --git a/tools/provision.sh b/tools/provision.sh index be4c9f57a..2e6908c13 100755 --- a/tools/provision.sh +++ b/tools/provision.sh @@ -45,13 +45,13 @@ if [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ]; then fi # if Azure credentials are defined in the env, create the credentials file -AZURE_CLIENT_ID="${AZURE_CLIENT_ID:-}" -AZURE_CLIENT_SECRET="${AZURE_CLIENT_SECRET:-}" -if [[ -n "$AZURE_CLIENT_ID" && -n "$AZURE_CLIENT_SECRET" ]]; then +V2_AZURE_CLIENT_ID="${V2_AZURE_CLIENT_ID:-}" +V2_AZURE_CLIENT_SECRET="${V2_AZURE_CLIENT_SECRET:-}" +if [[ -n "$V2_AZURE_CLIENT_ID" && -n "$V2_AZURE_CLIENT_SECRET" ]]; then set +x sudo tee /etc/osbuild-worker/azure-credentials.toml > /dev/null << EOF -client_id = "$AZURE_CLIENT_ID" -client_secret = "$AZURE_CLIENT_SECRET" +client_id = "$V2_AZURE_CLIENT_ID" +client_secret = "$V2_AZURE_CLIENT_SECRET" EOF sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF