ci: rotate secret names
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
This commit is contained in:
Ondřej Budai
Ondřej Budai
parent
65e429fc4a
commit
58423c262b
13 changed files with 45 additions and 45 deletions
|
|
@ -125,7 +125,7 @@ esac
|
|||
|
||||
# Check that needed variables are set to access AWS.
|
||||
function checkEnvAWS() {
|
||||
printenv AWS_REGION AWS_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_API_TEST_SHARE_ACCOUNT > /dev/null
|
||||
printenv AWS_REGION AWS_BUCKET V2_AWS_ACCESS_KEY_ID V2_AWS_SECRET_ACCESS_KEY AWS_API_TEST_SHARE_ACCOUNT > /dev/null
|
||||
}
|
||||
|
||||
# Check that needed variables are set to access GCP.
|
||||
|
|
@ -135,7 +135,7 @@ function checkEnvGCP() {
|
|||
|
||||
# Check that needed variables are set to access Azure.
|
||||
function checkEnvAzure() {
|
||||
printenv AZURE_TENANT_ID AZURE_SUBSCRIPTION_ID AZURE_RESOURCE_GROUP AZURE_LOCATION AZURE_CLIENT_ID AZURE_CLIENT_SECRET > /dev/null
|
||||
printenv AZURE_TENANT_ID AZURE_SUBSCRIPTION_ID AZURE_RESOURCE_GROUP AZURE_LOCATION V2_AZURE_CLIENT_ID V2_AZURE_CLIENT_SECRET > /dev/null
|
||||
}
|
||||
|
||||
# Check that needed variables are set to register to RHSM (RHEL only)
|
||||
|
|
@ -288,8 +288,8 @@ function installClientAWS() {
|
|||
sudo ${CONTAINER_RUNTIME} pull ${CONTAINER_IMAGE_CLOUD_TOOLS}
|
||||
|
||||
AWS_CMD="sudo ${CONTAINER_RUNTIME} run --rm \
|
||||
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
|
||||
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
|
||||
-e AWS_ACCESS_KEY_ID=${V2_AWS_ACCESS_KEY_ID} \
|
||||
-e AWS_SECRET_ACCESS_KEY=${V2_AWS_SECRET_ACCESS_KEY} \
|
||||
-v ${WORKDIR}:${WORKDIR}:Z \
|
||||
${CONTAINER_IMAGE_CLOUD_TOOLS} aws --region $AWS_REGION --output json --color on"
|
||||
else
|
||||
|
|
@ -487,13 +487,13 @@ function createReqFileAWS() {
|
|||
"options": {
|
||||
"region": "${AWS_REGION}",
|
||||
"s3": {
|
||||
"access_key_id": "${AWS_ACCESS_KEY_ID}",
|
||||
"secret_access_key": "${AWS_SECRET_ACCESS_KEY}",
|
||||
"access_key_id": "${V2_AWS_ACCESS_KEY_ID}",
|
||||
"secret_access_key": "${V2_AWS_SECRET_ACCESS_KEY}",
|
||||
"bucket": "${AWS_BUCKET}"
|
||||
},
|
||||
"ec2": {
|
||||
"access_key_id": "${AWS_ACCESS_KEY_ID}",
|
||||
"secret_access_key": "${AWS_SECRET_ACCESS_KEY}",
|
||||
"access_key_id": "${V2_AWS_ACCESS_KEY_ID}",
|
||||
"secret_access_key": "${V2_AWS_SECRET_ACCESS_KEY}",
|
||||
"snapshot_name": "${AWS_SNAPSHOT_NAME}",
|
||||
"share_with_accounts": ["${AWS_API_TEST_SHARE_ACCOUNT}"]
|
||||
}
|
||||
|
|
@ -532,8 +532,8 @@ function createReqFileAWSS3() {
|
|||
"options": {
|
||||
"region": "${AWS_REGION}",
|
||||
"s3": {
|
||||
"access_key_id": "${AWS_ACCESS_KEY_ID}",
|
||||
"secret_access_key": "${AWS_SECRET_ACCESS_KEY}",
|
||||
"access_key_id": "${V2_AWS_ACCESS_KEY_ID}",
|
||||
"secret_access_key": "${V2_AWS_SECRET_ACCESS_KEY}",
|
||||
"bucket": "${AWS_BUCKET}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1040,7 +1040,7 @@ function verifyInGCP() {
|
|||
# Verify image in Azure
|
||||
function verifyInAzure() {
|
||||
set +x
|
||||
$AZURE_CMD login --service-principal --username "${AZURE_CLIENT_ID}" --password "${AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}"
|
||||
$AZURE_CMD login --service-principal --username "${V2_AZURE_CLIENT_ID}" --password "${V2_AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}"
|
||||
set -x
|
||||
|
||||
# verify that the image exists
|
||||
|
|
|
|||
|
|
@ -90,8 +90,8 @@ credentials="$AWS_CREDS_FILE"
|
|||
EOF
|
||||
cat <<EOF | sudo tee "$AWS_CREDS_FILE"
|
||||
[default]
|
||||
aws_access_key_id = $AWS_ACCESS_KEY_ID
|
||||
aws_secret_access_key = $AWS_SECRET_ACCESS_KEY
|
||||
aws_access_key_id = $V2_AWS_ACCESS_KEY_ID
|
||||
aws_secret_access_key = $V2_AWS_SECRET_ACCESS_KEY
|
||||
EOF
|
||||
sudo systemctl restart osbuild-composer osbuild-composer-worker@*.service
|
||||
}
|
||||
|
|
@ -133,7 +133,7 @@ esac
|
|||
|
||||
# Check that needed variables are set to access AWS.
|
||||
function checkEnvAWS() {
|
||||
printenv AWS_REGION AWS_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_API_TEST_SHARE_ACCOUNT > /dev/null
|
||||
printenv AWS_REGION AWS_BUCKET V2_AWS_ACCESS_KEY_ID V2_AWS_SECRET_ACCESS_KEY AWS_API_TEST_SHARE_ACCOUNT > /dev/null
|
||||
}
|
||||
|
||||
# Check that needed variables are set to register to RHSM (RHEL only)
|
||||
|
|
@ -218,8 +218,8 @@ function installClientAWS() {
|
|||
sudo ${CONTAINER_RUNTIME} pull ${CONTAINER_IMAGE_CLOUD_TOOLS}
|
||||
|
||||
AWS_CMD="sudo ${CONTAINER_RUNTIME} run --rm \
|
||||
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
|
||||
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
|
||||
-e AWS_ACCESS_KEY_ID=${V2_AWS_ACCESS_KEY_ID} \
|
||||
-e AWS_SECRET_ACCESS_KEY=${V2_AWS_SECRET_ACCESS_KEY} \
|
||||
-v ${WORKDIR}:${WORKDIR}:Z \
|
||||
${CONTAINER_IMAGE_CLOUD_TOOLS} aws --region $AWS_REGION --output json --color on"
|
||||
else
|
||||
|
|
|
|||
|
|
@ -58,8 +58,8 @@ if ! hash aws; then
|
|||
sudo ${CONTAINER_RUNTIME} pull ${CONTAINER_IMAGE_CLOUD_TOOLS}
|
||||
|
||||
AWS_CMD="sudo ${CONTAINER_RUNTIME} run --rm \
|
||||
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
|
||||
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
|
||||
-e AWS_ACCESS_KEY_ID=${V2_AWS_ACCESS_KEY_ID} \
|
||||
-e AWS_SECRET_ACCESS_KEY=${V2_AWS_SECRET_ACCESS_KEY} \
|
||||
-v ${TEMPDIR}:${TEMPDIR}:Z \
|
||||
-v ${SSH_DATA_DIR}:${SSH_DATA_DIR}:Z \
|
||||
${CONTAINER_IMAGE_CLOUD_TOOLS} aws --region $AWS_REGION --output json --color on"
|
||||
|
|
@ -129,8 +129,8 @@ tee "$AWS_CONFIG" > /dev/null << EOF
|
|||
provider = "aws"
|
||||
|
||||
[settings]
|
||||
accessKeyID = "${AWS_ACCESS_KEY_ID}"
|
||||
secretAccessKey = "${AWS_SECRET_ACCESS_KEY}"
|
||||
accessKeyID = "${V2_AWS_ACCESS_KEY_ID}"
|
||||
secretAccessKey = "${V2_AWS_SECRET_ACCESS_KEY}"
|
||||
bucket = "${AWS_BUCKET}"
|
||||
region = "${AWS_REGION}"
|
||||
key = "${IMAGE_KEY}"
|
||||
|
|
|
|||
|
|
@ -233,8 +233,8 @@ export TF_VAR_TEST_ID="$TEST_ID"
|
|||
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/image#argument-reference
|
||||
export TF_VAR_HYPER_V_GEN="${HYPER_V_GEN}"
|
||||
export BLOB_URL="https://$AZURE_STORAGE_ACCOUNT.blob.core.windows.net/$AZURE_CONTAINER_NAME/$IMAGE_KEY.vhd"
|
||||
export ARM_CLIENT_ID="$AZURE_CLIENT_ID" > /dev/null
|
||||
export ARM_CLIENT_SECRET="$AZURE_CLIENT_SECRET" > /dev/null
|
||||
export ARM_CLIENT_ID="$V2_AZURE_CLIENT_ID" > /dev/null
|
||||
export ARM_CLIENT_SECRET="$V2_AZURE_CLIENT_SECRET" > /dev/null
|
||||
export ARM_SUBSCRIPTION_ID="$AZURE_SUBSCRIPTION_ID" > /dev/null
|
||||
export ARM_TENANT_ID="$AZURE_TENANT_ID" > /dev/null
|
||||
|
||||
|
|
|
|||
|
|
@ -191,7 +191,7 @@ wait_for_ssh_up () {
|
|||
clean_up () {
|
||||
greenprint "🧼 Cleaning up"
|
||||
# Remove tag from quay.io repo
|
||||
skopeo delete --creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
skopeo delete --creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
|
||||
# Clear vm
|
||||
if [[ $(sudo virsh domstate "${IMAGE_KEY}-uefi") == "running" ]]; then
|
||||
|
|
@ -304,9 +304,9 @@ sudo podman rmi -f -a
|
|||
# Deal with stage repo image
|
||||
greenprint "🗜 Pushing image to quay.io"
|
||||
IMAGE_FILENAME="${COMPOSE_ID}-${CONTAINER_FILENAME}"
|
||||
skopeo copy --dest-creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
skopeo copy --dest-creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
greenprint "Downloading image from quay.io"
|
||||
sudo podman login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_PASSWORD}"
|
||||
sudo podman login quay.io --username "${V2_QUAY_USERNAME}" --password "${V2_QUAY_PASSWORD}"
|
||||
sudo podman pull "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
sudo podman images
|
||||
greenprint "🗜 Running the image"
|
||||
|
|
|
|||
|
|
@ -215,7 +215,7 @@ wait_for_ssh_up () {
|
|||
clean_up () {
|
||||
greenprint "🧼 Cleaning up"
|
||||
# Remove tag from quay.io repo
|
||||
skopeo delete --creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
skopeo delete --creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
|
||||
# Clear vm
|
||||
if [[ $(sudo virsh domstate "${IMAGE_KEY}-uefi") == "running" ]]; then
|
||||
|
|
@ -329,7 +329,7 @@ sudo podman rmi -f -a
|
|||
# Deal with stage repo image
|
||||
greenprint "🗜 Pushing image to quay.io"
|
||||
IMAGE_FILENAME="${COMPOSE_ID}-${CONTAINER_FILENAME}"
|
||||
skopeo copy --dest-creds "${QUAY_USERNAME}:${QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
skopeo copy --dest-creds "${V2_QUAY_USERNAME}:${V2_QUAY_PASSWORD}" "oci-archive:${IMAGE_FILENAME}" "${QUAY_REPO_URL}:${QUAY_REPO_TAG}"
|
||||
# Clear image file
|
||||
sudo rm -f "$IMAGE_FILENAME"
|
||||
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ rpm -q "$WORKER_RPM"
|
|||
WELDR_DIR="$(mktemp -d)"
|
||||
WELDR_SOCK="$WELDR_DIR/api.socket"
|
||||
|
||||
sudo podman pull --creds "${QUAY_USERNAME}":"${QUAY_PASSWORD}" \
|
||||
sudo podman pull --creds "${V2_QUAY_USERNAME}":"${V2_QUAY_PASSWORD}" \
|
||||
"quay.io/osbuild/osbuild-composer-ubi-pr:${CI_COMMIT_SHA}"
|
||||
|
||||
# The host entitlement doesn't get picked up by composer
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue