Skip to content

Commit 83d018c

Browse files
pdabelf5pdabelf5
committed
Migrate GCR secrets to Azure vault
1 parent f2e172e commit 83d018c

14 files changed

+1005
-429
lines changed

.github/workflows/build-base-images.yml

Lines changed: 60 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -65,13 +65,31 @@ jobs:
6565
with:
6666
platforms: arm64
6767

68+
- name: Azure login
69+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
70+
with:
71+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
72+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
73+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
74+
75+
- name: Setup secrets
76+
id: secrets
77+
run: |
78+
echo "Setting secrets for job"
79+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
80+
echo "::add-mask::$GCR_WORKLOAD_ID"
81+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
82+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
83+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
84+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
85+
6886
- name: Authenticate to Google Cloud
6987
id: auth
7088
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
7189
with:
7290
token_format: access_token
73-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
74-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
91+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
92+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
7593

7694
- name: Login to GCR
7795
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -122,6 +140,24 @@ jobs:
122140
- name: Checkout Repository
123141
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
124142

143+
- name: Azure login
144+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
145+
with:
146+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
147+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
148+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
149+
150+
- name: Setup secrets
151+
id: secrets
152+
run: |
153+
echo "Setting secrets for job"
154+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
155+
echo "::add-mask::$GCR_WORKLOAD_ID"
156+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
157+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
158+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
159+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
160+
125161
- name: Docker Buildx
126162
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
127163

@@ -135,8 +171,8 @@ jobs:
135171
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
136172
with:
137173
token_format: access_token
138-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
139-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
174+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
175+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
140176

141177
- name: Login to GCR
142178
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -190,6 +226,24 @@ jobs:
190226
- name: Checkout Repository
191227
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
192228

229+
- name: Azure login
230+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
231+
with:
232+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
233+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
234+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
235+
236+
- name: Setup secrets
237+
id: secrets
238+
run: |
239+
echo "Setting secrets for job"
240+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
241+
echo "::add-mask::$GCR_WORKLOAD_ID"
242+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
243+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
244+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
245+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
246+
193247
- name: Docker Buildx
194248
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
195249

@@ -198,8 +252,8 @@ jobs:
198252
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
199253
with:
200254
token_format: access_token
201-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
202-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
255+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
256+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
203257

204258
- name: Login to GCR
205259
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/build-oss.yml

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,13 +61,31 @@ jobs:
6161
ref: ${{ inputs.branch }}
6262
fetch-depth: 0
6363

64+
- name: Azure login
65+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
66+
with:
67+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
68+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
69+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
70+
71+
- name: Setup secrets
72+
id: secrets
73+
run: |
74+
echo "Setting secrets for job"
75+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
76+
echo "::add-mask::$GCR_WORKLOAD_ID"
77+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
78+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
80+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
81+
6482
- name: Authenticate to Google Cloud
6583
id: auth
6684
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
6785
with:
6886
token_format: access_token
69-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
70-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
87+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
88+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
7189
if: ${{ inputs.authenticated }}
7290

7391
- name: Login to GCR

.github/workflows/build-plus.yml

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,13 +63,33 @@ jobs:
6363
ref: ${{ inputs.branch }}
6464
fetch-depth: 0
6565

66+
- name: Azure login
67+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
68+
with:
69+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
70+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
71+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
72+
if: ${{ inputs.authenticated }}
73+
74+
- name: Setup secrets
75+
id: secrets
76+
run: |
77+
echo "Setting secrets for job"
78+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$GCR_WORKLOAD_ID"
80+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
81+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
82+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
83+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
84+
if: ${{ inputs.authenticated }}
85+
6686
- name: Authenticate to Google Cloud
6787
id: auth
6888
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
6989
with:
7090
token_format: access_token
71-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
72-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
91+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
92+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
7393
if: ${{ inputs.authenticated }}
7494

7595
- name: Login to GCR

.github/workflows/build-single-image.yml

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,13 +64,31 @@ jobs:
6464
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
6565
cat $GITHUB_OUTPUT
6666
67+
- name: Azure login
68+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
69+
with:
70+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
71+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
72+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
73+
74+
- name: Setup secrets
75+
id: secrets
76+
run: |
77+
echo "Setting secrets for job"
78+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
79+
echo "::add-mask::$GCR_WORKLOAD_ID"
80+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
81+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
82+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
83+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
84+
6785
- name: Authenticate to Google Cloud
6886
id: auth
6987
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
7088
with:
7189
token_format: access_token
72-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
73-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
90+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
91+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
7492

7593
- name: Login to GCR
7694
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/build-test-image.yml

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,13 +33,31 @@ jobs:
3333
- name: Docker Buildx
3434
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
3535

36+
- name: Azure login
37+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
38+
with:
39+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
40+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
41+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
42+
43+
- name: Setup secrets
44+
id: secrets
45+
run: |
46+
echo "Setting secrets for job"
47+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
48+
echo "::add-mask::$GCR_WORKLOAD_ID"
49+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
50+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
51+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
52+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
53+
3654
- name: Authenticate to Google Cloud
3755
id: auth
3856
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
3957
with:
4058
token_format: access_token
41-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
42-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
59+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
60+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
4361

4462
- name: Login to GCR
4563
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/ci.yml

Lines changed: 88 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -127,13 +127,33 @@ jobs:
127127
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
128128
lookup-only: true
129129

130+
- name: Azure login
131+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
132+
with:
133+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
134+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
135+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
136+
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
137+
138+
- name: Setup secrets
139+
id: secrets
140+
run: |
141+
echo "Setting secrets for job"
142+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
143+
echo "::add-mask::$GCR_WORKLOAD_ID"
144+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
145+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
146+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
147+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
148+
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
149+
130150
- name: Authenticate to Google Cloud
131151
id: auth
132152
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
133153
with:
134154
token_format: access_token
135-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
136-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
155+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
156+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
137157
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
138158

139159
- name: Login to GCR
@@ -366,13 +386,33 @@ jobs:
366386
platforms: arm64
367387
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
368388

389+
- name: Azure login
390+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
391+
with:
392+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
393+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
394+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
395+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
396+
397+
- name: Setup secrets
398+
id: secrets
399+
run: |
400+
echo "Setting secrets for job"
401+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
402+
echo "::add-mask::$GCR_WORKLOAD_ID"
403+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
404+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
405+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
406+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
407+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
408+
369409
- name: Authenticate to Google Cloud
370410
id: auth
371411
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
372412
with:
373413
token_format: access_token
374-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
375-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
414+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
415+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
376416
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
377417

378418
- name: Login to GCR
@@ -436,13 +476,33 @@ jobs:
436476
with:
437477
version: 'v3.18.6'
438478

479+
- name: Azure login
480+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
481+
with:
482+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
483+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
484+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
485+
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
486+
487+
- name: Setup secrets
488+
id: secrets
489+
run: |
490+
echo "Setting secrets for job"
491+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
492+
echo "::add-mask::$GCR_WORKLOAD_ID"
493+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
494+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
495+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
496+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
497+
if: ${{ needs.checks.outputs.forked_workflow != 'true' }}
498+
439499
- name: Authenticate to Google Cloud
440500
id: auth
441501
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
442502
with:
443503
token_format: access_token
444-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
445-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
504+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
505+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
446506
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
447507

448508
- name: Login to GCR
@@ -576,13 +636,33 @@ jobs:
576636
- name: Docker Buildx
577637
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
578638

639+
- name: Azure login
640+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
641+
with:
642+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
643+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
644+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
645+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
646+
647+
- name: Setup secrets
648+
id: secrets
649+
run: |
650+
echo "Setting secrets for job"
651+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
652+
echo "::add-mask::$GCR_WORKLOAD_ID"
653+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
654+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
655+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
656+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
657+
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
658+
579659
- name: Authenticate to Google Cloud
580660
id: auth
581661
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
582662
with:
583663
token_format: access_token
584-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
585-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
664+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
665+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
586666
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
587667

588668
- name: Login to GCR

0 commit comments

Comments
 (0)