Skip to content

Commit 002a0ea

Browse files
pdabelf5pdabelf5
authored
Migrate GCR secrets to Azure Vault (#8518)
1 parent 7e0e582 commit 002a0ea

14 files changed

+504
-79
lines changed

.github/workflows/build-base-images.yml

Lines changed: 36 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -65,13 +65,31 @@ jobs:
6565
with:
6666
platforms: arm64
6767

68+
- name: Azure login
69+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
70+
with:
71+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
72+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
73+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
74+
75+
- name: Setup secrets
76+
id: secrets
77+
run: |
78+
echo "Setting secrets for job"
79+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
80+
echo "::add-mask::$GCR_WORKLOAD_ID"
81+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
82+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
83+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
84+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
85+
6886
- name: Authenticate to Google Cloud
6987
id: auth
7088
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
7189
with:
7290
token_format: access_token
73-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
74-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
91+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
92+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
7593

7694
- name: Login to GCR
7795
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -133,6 +151,12 @@ jobs:
133151
id: secrets
134152
run: |
135153
echo "Setting secrets for job"
154+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
155+
echo "::add-mask::$GCR_WORKLOAD_ID"
156+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
157+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
158+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
159+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
136160
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
137161
echo "::add-mask::$PLUS_CREDS"
138162
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
@@ -159,8 +183,8 @@ jobs:
159183
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
160184
with:
161185
token_format: access_token
162-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
163-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
186+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
187+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
164188

165189
- name: Login to GCR
166190
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -230,6 +254,12 @@ jobs:
230254
id: secrets
231255
run: |
232256
echo "Setting secrets for job"
257+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
258+
echo "::add-mask::$GCR_WORKLOAD_ID"
259+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
260+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
261+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
262+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
233263
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
234264
echo "::add-mask::$PLUS_CREDS"
235265
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
@@ -256,8 +286,8 @@ jobs:
256286
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
257287
with:
258288
token_format: access_token
259-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
260-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
289+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
290+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
261291

262292
- name: Login to GCR
263293
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/build-oss.yml

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,25 @@ jobs:
6161
ref: ${{ inputs.branch }}
6262
fetch-depth: 0
6363

64+
- name: Azure login
65+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
66+
with:
67+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
68+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
69+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
70+
if: ${{ inputs.authenticated }}
71+
72+
- name: Setup secrets
73+
id: secrets
74+
run: |
75+
echo "Setting secrets for job"
76+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
77+
echo "::add-mask::$GCR_WORKLOAD_ID"
78+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
79+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
80+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
81+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
82+
6483
- name: Azure login Common Vault
6584
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
6685
with:
@@ -86,8 +105,8 @@ jobs:
86105
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
87106
with:
88107
token_format: access_token
89-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
90-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
108+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
109+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
91110
if: ${{ inputs.authenticated }}
92111

93112
- name: Login to GCR

.github/workflows/build-plus.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,12 @@ jobs:
7575
id: secrets
7676
run: |
7777
echo "Setting secrets for job"
78+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$GCR_WORKLOAD_ID"
80+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
81+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
82+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
83+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
7884
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
7985
echo "::add-mask::$PLUS_CREDS"
8086
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
@@ -119,8 +125,8 @@ jobs:
119125
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
120126
with:
121127
token_format: access_token
122-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
123-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
128+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
129+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
124130
if: ${{ inputs.authenticated }}
125131

126132
- name: Login to GCR

.github/workflows/build-single-image.yml

Lines changed: 21 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -64,33 +64,23 @@ jobs:
6464
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
6565
cat $GITHUB_OUTPUT
6666
67-
- name: Authenticate to Google Cloud
68-
id: auth
69-
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
70-
with:
71-
token_format: access_token
72-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
73-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
74-
75-
- name: Login to GCR
76-
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
77-
with:
78-
registry: gcr.io
79-
username: oauth2accesstoken
80-
password: ${{ steps.auth.outputs.access_token }}
81-
8267
- name: Azure login
8368
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
8469
with:
8570
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
8671
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
8772
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
88-
if: ${{ contains(inputs.target, 'plus') }}
8973

9074
- name: Setup secrets
9175
id: secrets
9276
run: |
9377
echo "Setting secrets for job"
78+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$GCR_WORKLOAD_ID"
80+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
81+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
82+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
83+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
9484
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
9585
echo "::add-mask::$PLUS_CREDS"
9686
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
@@ -108,7 +98,21 @@ jobs:
10898
echo "::add-mask::${line}"
10999
done <<< "${RHEL_CREDS}"
110100
echo $RHEL_CREDS > rhel_license
111-
if: ${{ contains(inputs.target, 'plus') }}
101+
102+
- name: Authenticate to Google Cloud
103+
id: auth
104+
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
105+
with:
106+
token_format: access_token
107+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
108+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
109+
110+
- name: Login to GCR
111+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
112+
with:
113+
registry: gcr.io
114+
username: oauth2accesstoken
115+
password: ${{ steps.auth.outputs.access_token }}
112116

113117
- name: Fetch Cached Binary Artifacts
114118
id: binary-cache

.github/workflows/build-test-image.yml

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,13 +33,31 @@ jobs:
3333
- name: Docker Buildx
3434
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
3535

36+
- name: Azure login
37+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
38+
with:
39+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
40+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
41+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
42+
43+
- name: Setup secrets
44+
id: secrets
45+
run: |
46+
echo "Setting secrets for job"
47+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
48+
echo "::add-mask::$GCR_WORKLOAD_ID"
49+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
50+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
51+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
52+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
53+
3654
- name: Authenticate to Google Cloud
3755
id: auth
3856
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
3957
with:
4058
token_format: access_token
41-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
42-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
59+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
60+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
4361

4462
- name: Login to GCR
4563
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/ci.yml

Lines changed: 74 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -127,13 +127,33 @@ jobs:
127127
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
128128
lookup-only: true
129129

130+
- name: Azure login
131+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
132+
with:
133+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
134+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
135+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
136+
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
137+
138+
- name: Setup secrets
139+
id: secrets
140+
run: |
141+
echo "Setting secrets for job"
142+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
143+
echo "::add-mask::$GCR_WORKLOAD_ID"
144+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
145+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
146+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
147+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
148+
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
149+
130150
- name: Authenticate to Google Cloud
131151
id: auth
132152
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
133153
with:
134154
token_format: access_token
135-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
136-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
155+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
156+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
137157
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
138158

139159
- name: Login to GCR
@@ -386,13 +406,33 @@ jobs:
386406
platforms: arm64
387407
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
388408

409+
- name: Azure login
410+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
411+
with:
412+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
413+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
414+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
415+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
416+
417+
- name: Setup secrets
418+
id: secrets
419+
run: |
420+
echo "Setting secrets for job"
421+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
422+
echo "::add-mask::$GCR_WORKLOAD_ID"
423+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
424+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
425+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
426+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
427+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
428+
389429
- name: Authenticate to Google Cloud
390430
id: auth
391431
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
392432
with:
393433
token_format: access_token
394-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
395-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
434+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
435+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
396436
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
397437

398438
- name: Login to GCR
@@ -468,6 +508,12 @@ jobs:
468508
id: secrets
469509
run: |
470510
echo "Setting secrets for job"
511+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
512+
echo "::add-mask::$GCR_WORKLOAD_ID"
513+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
514+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
515+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
516+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
471517
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
472518
echo "::add-mask::$PLUS_CREDS"
473519
PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt')
@@ -490,8 +536,8 @@ jobs:
490536
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
491537
with:
492538
token_format: access_token
493-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
494-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
539+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
540+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
495541
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
496542

497543
- name: Login to GCR
@@ -630,13 +676,33 @@ jobs:
630676
- name: Docker Buildx
631677
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
632678

679+
- name: Azure login
680+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
681+
with:
682+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
683+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
684+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
685+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
686+
687+
- name: Setup secrets
688+
id: secrets
689+
run: |
690+
echo "Setting secrets for job"
691+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
692+
echo "::add-mask::$GCR_WORKLOAD_ID"
693+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
694+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
695+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
696+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
697+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
698+
633699
- name: Authenticate to Google Cloud
634700
id: auth
635701
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
636702
with:
637703
token_format: access_token
638-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
639-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
704+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
705+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
640706
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
641707

642708
- name: Login to GCR

0 commit comments

Comments
 (0)