Skip to content

Commit 1ca073d

Browse files
pdabelf5pdabelf5
authored
Migrate OpenShift & Plus secrets to Azure Vault (#8515)
1 parent 88de4fa commit 1ca073d

File tree

12 files changed

+514
-356
lines changed

12 files changed

+514
-356
lines changed

.github/actions/certify-openshift-image/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ inputs:
2020
required: false
2121
default: "amd64,arm64"
2222
submit:
23-
description: Submit results to Redhat PYAXIS
23+
description: Submit results to Redhat PYXIS
2424
required: false
2525
default: true
2626

.github/workflows/build-artifacts.yml

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -91,14 +91,6 @@ jobs:
9191
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
9292
GOPATH: ${{ inputs.go-path }}
9393
GOPROXY: ${{ inputs.go-proxy }}
94-
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
95-
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
96-
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
97-
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
98-
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
99-
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
100-
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
101-
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
10294
GORELEASER_CURRENT_TAG: "v${{ inputs.ic-version }}"
10395
if: ${{ inputs.force }}
10496

@@ -115,6 +107,10 @@ jobs:
115107
key: nginx-ingress-${{ inputs.go-md5 }}
116108
if: ${{ inputs.force }}
117109

110+
- name: Cleanup netrc
111+
run: rm -f $HOME/.netrc
112+
if: ${{ always() }}
113+
118114
# generate-assertion-doc:
119115
# if: ${{ github.event_name != 'pull_request' }}
120116
# name: Assertion Doc ${{ matrix.nic.arch }}
@@ -190,9 +186,9 @@ jobs:
190186
# with:
191187
# assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}
192188

193-
- name: Cleanup netrc
194-
run: rm -f $HOME/.netrc
195-
if: ${{ always() }}
189+
#  - name: Cleanup netrc
190+
# run: rm -f $HOME/.netrc
191+
# if: ${{ always() }}
196192

197193
build-docker:
198194
name: Build Docker OSS

.github/workflows/build-single-image.yml

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -107,14 +107,6 @@ jobs:
107107
env:
108108
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
109109
GOPATH: ${{ steps.vars.outputs.go_path }}
110-
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
111-
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
112-
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
113-
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
114-
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
115-
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
116-
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
117-
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
118110
GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}"
119111
if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }}
120112

.github/workflows/certify-ubi-image.yml

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,16 +34,37 @@ jobs:
3434
certify-ubi-images:
3535
name: Certify OpenShift UBI images
3636
runs-on: ubuntu-24.04
37+
permissions:
38+
contents: read
39+
id-token: write
3740
steps:
3841
- name: Checkout
3942
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
4043

44+
- name: Azure login
45+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
46+
with:
47+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
48+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
49+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
50+
51+
- name: Setup secrets
52+
id: secrets
53+
run: |
54+
echo "Setting secrets for job"
55+
PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
56+
echo "::add-mask::$PYXIS_TOKEN"
57+
echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT
58+
PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
59+
echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID"
60+
echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT
61+
4162
- name: Certify UBI OSS images in quay
4263
uses: ./.github/actions/certify-openshift-image
4364
with:
4465
image: ${{ inputs.image }}
45-
project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
46-
pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
66+
project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }}
67+
pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }}
4768
preflight_version: ${{ inputs.preflight_version }}
4869
submit: ${{ inputs.submit || true }}
4970
platforms: ${{ inputs.platforms }}

.github/workflows/ci.yml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -456,6 +456,25 @@ jobs:
456456
with:
457457
version: 'v3.18.6'
458458

459+
- name: Azure login
460+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
461+
with:
462+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
463+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
464+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
465+
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
466+
467+
- name: Setup secrets
468+
id: secrets
469+
run: |
470+
echo "Setting secrets for job"
471+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
472+
echo "::add-mask::$PLUS_CREDS"
473+
PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt')
474+
echo "::add-mask::$PLUS_JWT"
475+
echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT
476+
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
477+
459478
- name: Authenticate to Google Cloud
460479
id: auth
461480
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -525,7 +544,7 @@ jobs:
525544
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
526545

527546
- name: Create Plus Secret
528-
run: kubectl create secret generic license-token --from-literal=license.jwt="${{ secrets.PLUS_JWT }}" --type="nginx.com/license"
547+
run: kubectl create secret generic license-token --from-literal=license.jwt="${{ steps.secrets.outputs.PLUS_JWT }}" --type="nginx.com/license"
529548
if: ${{ matrix.type == 'plus' && steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
530549

531550
- name: Install Chart

0 commit comments

Comments
 (0)