feat: add Cloudsmith auth #710
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I think we should add the values as other parameters for the orb job and set them as environment variables. We can then pass those parameters in the CircleCI config generated by Tool Kit. |
|
I've pushed a commit to this branch to illustrate my idea – hope that's okay! |
rowanmanning
force-pushed
the
cloudsmith-orb
branch
2 times, most recently
from
155f2bc to
e39055b
Compare
ivomurrell
reviewed
Nov 14, 2024
rowanmanning
force-pushed
the
cloudsmith-orb
branch
from
e39055b to
d3606b8
Compare
2 tasks
ivomurrell
force-pushed
the
cloudsmith-orb
branch
from
d3606b8 to
492cb95
Compare
ivomurrell
force-pushed
the
circleci-workflow-jobs
branch
from
fac03cd to
e33e579
Compare
ivomurrell
force-pushed
the
cloudsmith-orb
branch
2 times, most recently
from
fc135e1 to
8f968e3
Compare
|
@rowanmanning do you have any suggestions for better descriptions for the new Cloudsmith options? 😅 I haven't done enough research into how Cloudsmith works yet to be able to write these intelligently |
|
Meh nah I think they're fine for now, feel a bit redundant but we can always tweak later if we thinking of something better |
ivomurrell
approved these changes
Dec 5, 2024
This adds in the orb to authenticate with Cloudsmith via OIDC. Our Cloudsmith orb requires two environment variables to work: * CLOUDSMITH_ORGANISATION * CLOUDSMITH_SERVICE_ACCOUNT To allow us to specify these in Tool Kit config instead (which is a lot cleaner, the config lives in the code etc) we need to define a schema for a nonexistent `cloudsmith` plugin and then pass params through into the CircleCI config. Co-Authored-By: Alex Muller <[email protected]> Co-Authored-By: Ivo Murrell <[email protected]>
Tool Kit will not allow you to declare options for plugins that don't exist (to avoid the likely case that there was a typo), but we want to declare Cloudsmith specific options that are used to generate CircleCI config. Declare a barebones plugin to facilitate this.
Tool Kit will be able to merge the additional custom CircleCI config into the configuration already defined by the circleci-deploy plugin. This will allow users to explicitly opt into the cloudsmith logic by installing the plugin, and compartmentalises the configuration.
This is primarily so that our git hook can automatically fill in autogenerated docs where appropriate.
We'll likely never the flexibility to set a different organisation. Co-Authored-By: Rowan Manning <[email protected]>
ivomurrell
force-pushed
the
cloudsmith-orb
branch
from
3a209d2 to
4c5b190
Compare
joelcarr
reviewed
Dec 10, 2024
| @@ -30,6 +30,10 @@ options: | |||
| !toolkit/if-defined '@dotcom-tool-kit/serverless.awsAccountId': | |||
| aws-account-id: !toolkit/option '@dotcom-tool-kit/serverless.awsAccountId' | |||
| system-code: !toolkit/option '@dotcom-tool-kit/serverless.systemCode' | |||
| !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.organisation': | |||
| cloudsmith-org: !toolkit/option '@dotcom-tool-kit/cloudsmith.organisation' | |||
There was a problem hiding this comment.
question: Could these parameters be CircleCI contexts or environment variables in Doppler?
There was a problem hiding this comment.
I looked at environment variables but:
- I think it's better for this option to sit alongside the code, it mirrors how we do other things like configuring the doppler project.
- Params simplify migration because you can hopefully make the switch with only Tool Kit config changes and nothing else (e.g. no further instructions to add stuff to Doppler)
- It's really only the the
cloudsmith-service-accountwhich rarely (almost never) changes, unless a repo changes team ownership. The cloudsmith-org is hard-coded which isn't as possible to do via environment variables
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This adds in the orb to authenticate with Cloudsmith via OIDC. I'm not sure what the next step is to be honest, because the orb works differently to the AWS login one. The only way to auth with Cloudsmith via this orb is by setting two environment variables:
I'd rather these be Tool Kit options because that means the values (non-secrets) are stored as config in our apps. It also means we can default the
financial-timesone more easily.What I don't know how to do is to convert a Tool Kit option to environment variables before we auth and pass them along in a way that means we don't try to auth with Cloudsmith if the options aren't present. Help?
Checklist:
feat(circleci): add support for nightly workflows,fix: set Heroku app name for staging apps too