Skip to content

Commit 7e0e582

Browse files
pdabelf5pdabelf5
authored
Migrate docker & nginx bot credentials to Azure Vault (#8530)
1 parent 56f2322 commit 7e0e582

12 files changed

+363
-73
lines changed

.github/workflows/build-oss.yml

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,26 @@ jobs:
6161
ref: ${{ inputs.branch }}
6262
fetch-depth: 0
6363

64+
- name: Azure login Common Vault
65+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
66+
with:
67+
client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
68+
tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
69+
subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
70+
if: ${{ inputs.authenticated }}
71+
72+
- name: Setup secrets Common Vault
73+
id: secrets-common
74+
run: |
75+
echo "Setting secrets for job"
76+
DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
77+
echo "::add-mask::$DOCKER_USERNAME"
78+
echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT
79+
DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
80+
echo "::add-mask::$DOCKER_PASSWORD"
81+
echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT
82+
if: ${{ inputs.authenticated }}
83+
6484
- name: Authenticate to Google Cloud
6585
id: auth
6686
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -81,8 +101,8 @@ jobs:
81101
- name: DockerHub Login
82102
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
83103
with:
84-
username: ${{ secrets.DOCKER_USERNAME }}
85-
password: ${{ secrets.DOCKER_PASSWORD }}
104+
username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }}
105+
password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }}
86106
if: ${{ inputs.authenticated }}
87107

88108
- name: Docker meta

.github/workflows/build-plus.yml

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,26 @@ jobs:
9494
echo $RHEL_CREDS > rhel_license
9595
if: ${{ inputs.authenticated }}
9696

97+
- name: Azure login Common Vault
98+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
99+
with:
100+
client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
101+
tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
102+
subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
103+
if: ${{ inputs.authenticated }}
104+
105+
- name: Setup secrets - Common Vault
106+
id: secrets-common
107+
run: |
108+
echo "Setting secrets for job"
109+
DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
110+
echo "::add-mask::$DOCKER_USERNAME"
111+
echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT
112+
DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
113+
echo "::add-mask::$DOCKER_PASSWORD"
114+
echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT
115+
if: ${{ inputs.authenticated }}
116+
97117
- name: Authenticate to Google Cloud
98118
id: auth
99119
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -114,8 +134,8 @@ jobs:
114134
- name: DockerHub Login
115135
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
116136
with:
117-
username: ${{ secrets.DOCKER_USERNAME }}
118-
password: ${{ secrets.DOCKER_PASSWORD }}
137+
username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }}
138+
password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }}
119139
if: ${{ inputs.authenticated }}
120140

121141
- name: NAP modules

.github/workflows/cherry-pick.yml

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ jobs:
1313
permissions:
1414
contents: write
1515
pull-requests: write
16+
id-token: write
1617
runs-on: ubuntu-24.04
1718
name: Cherry pick into release branch
1819
if: ${{ contains(github.event.pull_request.labels.*.name, 'needs cherry pick') && github.event.pull_request.merged == true }}
@@ -31,10 +32,25 @@ jobs:
3132
echo "branch=${release_branch}" >> $GITHUB_OUTPUT
3233
cat $GITHUB_OUTPUT
3334
35+
- name: Azure login
36+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
37+
with:
38+
client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
39+
tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
40+
subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
41+
42+
- name: Setup secrets
43+
id: secrets
44+
run: |
45+
echo "Setting secrets for job"
46+
NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
47+
echo "::add-mask::$NGINX_PAT"
48+
echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
49+
3450
- name: Cherry pick into ${{ steps.branch.outputs.branch }}
3551
uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10
3652
with:
3753
branch: ${{ steps.branch.outputs.branch }}
38-
token: ${{ secrets.NGINX_PAT }}
54+
token: ${{ steps.secrets.outputs.NGINX_PAT }}
3955
author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>
4056
title: "[cherry-pick] {old_title}"

.github/workflows/create-release-branch.yml

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,12 +36,28 @@ jobs:
3636
runs-on: ubuntu-latest
3737
permissions:
3838
contents: write
39+
id-token: write
3940
steps:
4041
- name: Checkout NIC repo
4142
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
4243
with:
4344
ref: ${{ inputs.source_branch }}
4445

46+
- name: Azure login
47+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
48+
with:
49+
client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
50+
tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
51+
subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
52+
53+
- name: Setup secrets
54+
id: secrets
55+
run: |
56+
echo "Setting secrets for job"
57+
NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
58+
echo "::add-mask::$NGINX_PAT"
59+
echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
60+
4561
- name: Create new release branch
4662
run: |
4763
branch="${{ inputs.branch_prefix }}${{ inputs.release_version }}"
@@ -66,4 +82,4 @@ jobs:
6682
git push --dry-run origin "${branch}"
6783
fi
6884
env:
69-
GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
85+
GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }}

.github/workflows/dockerhub-description.yml

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ permissions:
1717
jobs:
1818
dockerHubDescription:
1919
runs-on: ubuntu-24.04
20+
permissions:
21+
contents: read
22+
id-token: write
2023
if: ${{ github.event.repository.fork == false }}
2124
steps:
2225
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ -25,10 +28,28 @@ jobs:
2528
run: |
2629
sed -i '3,4d' README.md
2730
31+
- name: Azure login
32+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
33+
with:
34+
client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
35+
tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
36+
subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
37+
38+
- name: Setup secrets
39+
id: secrets
40+
run: |
41+
echo "Setting secrets for job"
42+
DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
43+
echo "::add-mask::$DOCKER_USERNAME"
44+
echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT
45+
DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
46+
echo "::add-mask::$DOCKER_PASSWORD"
47+
echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT
48+
2849
- name: Docker Hub Description
2950
uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0
3051
with:
31-
username: ${{ secrets.DOCKER_USERNAME }}
32-
password: ${{ secrets.DOCKER_PASSWORD }}
52+
username: ${{ steps.secrets.outputs.DOCKER_USERNAME }}
53+
password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }}
3354
repository: nginx/nginx-ingress
3455
short-description: ${{ github.event.repository.description }}

0 commit comments

Comments
 (0)