packer: add support for koji credentials

Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-03-11 10:42:17 +01:00 · 2022-03-11 10:42:17 +01:00 · c46376aea2
commit c46376aea2
parent 2dd5ae7bca
2 changed files with 28 additions and 0 deletions
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_koji_creds.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/get_koji_creds.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+set -eo pipefail
+source /tmp/cloud_init_vars
+
+echo "Deploy Koji credentials."
+
+if [[ -z "$KOJI_ACCOUNT_IMAGE_BUILDER_ARN" ]]; then
+  echo "KOJI_ACCOUNT_IMAGE_BUILDER_ARN not defined, skipping."
+  exit 0
+fi
+
+/usr/local/bin/aws secretsmanager get-secret-value \
+  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
+  --secret-id "${KOJI_SERVICE_ACCOUNT_IMAGE_BUILDER_ARN}" | jq -r ".SecretString" > /tmp/koji_credentials.json
+
+KOJIHUB=$(jq -r ".kojihub" /tmp/koji_credentials.json)
+PRINCIPAL=$(jq -r ".principal" /tmp/koji_credentials.json)
+
+jq -r ".keytab" /tmp/koji_credentials.json | base64 -d >/etc/osbuild-worker/koji.keytab
+rm /tmp/koji_credentials.json
+
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
+[koji."${KOJIHUB}".kerberos]
+principal = "${PRINCIPAL}"
+keytab = "/etc/osbuild-worker/koji.keytab"
+EOF
+
--- a/templates/packer/ansible/roles/common/files/worker-initialization.service
+++ b/templates/packer/ansible/roles/common/files/worker-initialization.service
@ -14,6 +14,7 @@ ExecStart=/usr/local/libexec/worker-initialization-scripts/subscription_manager.
 ExecStart=/usr/local/libexec/worker-initialization-scripts/get_aws_creds.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/get_azure_creds.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/get_gcp_creds.sh
+ExecStart=/usr/local/libexec/worker-initialization-scripts/get_koji_creds.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_service.sh

 [Install]