From 3f11fe2c67ca3c9d38c8615d8fdbf6edecccbd44 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:19:35 +0100 Subject: [PATCH] Move towards better secret management --- .github/workflows/deploy.yml | 27 +++++++++++++++------------ deploy/cloud-init.yaml | 4 ++-- deploy/deploy.sh | 2 ++ 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e6f6a9ec..91df8a23 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -25,17 +25,16 @@ jobs: curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq chmod +x jq pip install yq git+https://github.com/tdviet/fedcloudclient.git - curl -L https://github.com/oidc-mytoken/client/releases/download/v0.3.0/mytoken_0.3.0_Linux_x86_64.tar.gz \ - | tar -xzf - - mkdir ~/.mytoken - curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml > ~/.mytoken/config.yaml - name: Configure providers access env: - MYTOKEN: ${{ secrets.MYTOKEN }} REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} + ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | + # using parametric scopes to only have access to cloud.egi.eu VO + SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" + SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ - -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=openid%20email%20profile%20voperson_id%20eduperson_entitlement" \ + -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \ | jq -r ".access_token") echo "::add-mask::$OIDC_TOKEN" cd deploy @@ -54,6 +53,11 @@ jobs: sed -i -e "s/deploy_secret/$DEPLOY_OS_TOKEN/" clouds.yaml mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml + FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker --oidc-access-token "$OIDC_TOKEN" \ + create --ttl 1h --num-uses 2)" + fedcloud secret put deploy "data=$ANSIBLE_SECRETS" + echo "::add-mask::$FEDCLOUD_LOCKER_TOKEN" + echo "FEDCLOUD_LOCKER_TOKEN=$FEDCLOUD_LOCKER_TOKEN" >> "$GITHUB_ENV" - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -71,16 +75,13 @@ jobs: - name: Adjust cloud-init file env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | cd deploy sed -i -e "s/%TOKEN%/${{ secrets.GITHUB_TOKEN }}/" cloud-init.yaml sed -i -e "s/%REF%/${{ github.sha }}/" cloud-init.yaml sed -i -e "s/%SHORT_REF%/$(git rev-parse --short HEAD)/" cloud-init.yaml sed -i -e "s#%SLACK_WEBHOOK_URL%#$SLACK_WEBHOOK_URL#" cloud-init.yaml - ANSIBLE_ENCODED_SECRETS="$(echo "$ANSIBLE_SECRETS" | base64 -w 0)" - echo "::add-mask::$ANSIBLE_ENCODED_SECRETS" - sed -i -e "s/%ANSIBLE_SECRETS%/$ANSIBLE_ENCODED_SECRETS/" cloud-init.yaml + sed -i -e "s/%FEDCLOUD_LOCKER_TOKEN%/$FEDCLOUD_LOCKER_TOKEN/" cloud-init.yaml sed -i -e "s/%CLOUDS_YAML%/$(base64 -w 0 < clouds.yaml)/" cloud-init.yaml - name: terraform plan id: plan @@ -132,11 +133,13 @@ jobs: terraform output -raw instance-id - name: Re-configure providers access env: - MYTOKEN: ${{ secrets.MYTOKEN }} REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} run: | + # using parametric scopes to only have access to cloud.egi.eu VO + SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" + SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ - -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=openid%20email%20profile%20voperson_id%20eduperson_entitlement" \ + -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \ | jq -r ".access_token") echo "::add-mask::$OIDC_TOKEN" cd deploy diff --git a/deploy/cloud-init.yaml b/deploy/cloud-init.yaml index 06864b62..f51f8fb5 100644 --- a/deploy/cloud-init.yaml +++ b/deploy/cloud-init.yaml @@ -40,14 +40,14 @@ write_files: SLACK_WEBHOOK_URL="%SLACK_WEBHOOK_URL%" COMMIT_SHA="%REF%" SHORT_COMMIT_SHA="%SHORT_REF%" + FEDCLOUD_LOCKER_TOKEN="%FEDCLOUD_LOCKER_TOKEN%" # get the repo code and untar at cwd curl -L -H "Accept: application/vnd.github.v3+raw" \ "https://api.github.com/repos/EGI-Federation/fedcloud-catchall-operations/tarball/$COMMIT_SHA" | \ tar xz --strip=1 cd deploy - echo "%ANSIBLE_SECRETS%" | base64 -d > ./secrets.yaml - ./deploy.sh "$OAUTH_TOKEN" "$COMMIT_SHA" \ + ./deploy.sh "$OAUTH_TOKEN" "$COMMIT_SHA" "$FEDCLOUD_LOCKER_TOKEN" \ "$SHORT_COMMIT_SHA" "$SLACK_WEBHOOK_URL" path: /var/lib/cloud/scripts/per-boot/deploy.sh permissions: '0755' diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 9c4b3333..a8fabfb2 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -25,6 +25,8 @@ else header="Failed deployment :boom:" fi + + # This is a temporary way to get the auto discovery working while we transition for all sites # copy the secrets to the /etc/egi/vos dir which is readable from the containers cp secrets.yaml /etc/egi/vos/secrets.yaml