diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_koji_creds.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_koji_creds.sh new file mode 100755 index 000000000..863bbdd44 --- /dev/null +++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_koji_creds.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -eo pipefail +source /tmp/cloud_init_vars + +echo "Deploy Koji credentials." + +if [[ -z "$KOJI_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then + echo "KOJI_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping." + exit 0 +fi + +/usr/local/bin/aws secretsmanager get-secret-value \ + --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \ + --secret-id "${KOJI_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/koji_credentials.json + +KOJIHUB=$(jq -r ".kojihub" /tmp/koji_credentials.json) +PRINCIPAL=$(jq -r ".principal" /tmp/koji_credentials.json) + +jq -r ".keytab" /tmp/koji_credentials.json | base64 -d >/etc/osbuild-worker/koji.keytab +rm /tmp/koji_credentials.json + +sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF +[koji."${KOJIHUB}".kerberos] +principal = "${PRINCIPAL}" +keytab = "/etc/osbuild-worker/koji.keytab" +EOF + diff --git a/templates/packer/ansible/roles/common/files/worker-initialization.service b/templates/packer/ansible/roles/common/files/worker-initialization.service index d5f013585..7bc04f481 100644 --- a/templates/packer/ansible/roles/common/files/worker-initialization.service +++ b/templates/packer/ansible/roles/common/files/worker-initialization.service @@ -14,6 +14,7 @@ ExecStart=/usr/local/libexec/worker-initialization-scripts/subscription_manager. ExecStart=/usr/local/libexec/worker-initialization-scripts/get_aws_creds.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/get_azure_creds.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/get_gcp_creds.sh +ExecStart=/usr/local/libexec/worker-initialization-scripts/get_koji_creds.sh ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_service.sh [Install]