From bd9b0ff31aed1ba222bfcf0d6bda017898679a58 Mon Sep 17 00:00:00 2001
From: Dusty Mabe <dusty@dustymabe.com>
Date: Tue, 10 Sep 2019 14:24:08 -0400
Subject: [PATCH] Add new AWS creds secret for running kola tests

In this PR we add the aws-fcos-kola-bot-config secret that
represents credentials to use when running kola tests in AWS.

This will allow us to upload builds to the prod Fedora Account
(more locked down security) and do testing in our community Fedora
Account where we have control over the credentials handed out.
---
 HACKING.md           | 22 +++++++++++++++++++---
 Jenkinsfile.kola.aws |  1 +
 manifests/pod.yaml   | 10 ++++++++++
 manifests/sleep.yaml | 10 ++++++++++
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/HACKING.md b/HACKING.md
index 1f19cfe98..e18a08315 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -150,7 +150,7 @@ If you're planning to test changes, it would be best to fork
 this repo so that you do your work there. The workflow
 requires a remote repo to which to push changes.
 
-### Creating AWS credentials config
+### Creating AWS credentials configs
 
 If you are in production where we upload builds to S3 OR you want to
 test uploading to S3 as part of your pipeline development, you need to
@@ -159,7 +159,7 @@ create a credentials config as a secret within OpenShift.
 First create a file with your secret content:
 
 ```
-cat <<'EOF' > /path/to/file
+cat <<'EOF' > /path/to/upload-secret
 [default]
 aws_access_key_id=keyid
 aws_secret_access_key=key
@@ -169,7 +169,23 @@ EOF
 Then create the secret in OpenShift:
 
 ```
-oc create secret generic aws-fcos-builds-bot-config --from-file=config=/path/to/file
+oc create secret generic aws-fcos-builds-bot-config --from-file=config=/path/to/upload-secret
+```
+
+We also have a second AWS config that can be used for running kola
+tests. If you have a single account that has enough permissions for
+both then you can use the same account for both uploading builds and
+running kola tests (i.e. re-use `upload-secret` from above. If not then
+you can use a second set of credentials for the kola tests.
+
+```
+cat <<'EOF' > /path/to/kola-secret
+[default]
+aws_access_key_id=keyid
+aws_secret_access_key=key
+EOF
+
+oc create secret generic aws-fcos-kola-bot-config --from-file=config=/path/to/kola-secret
 ```
 
 ### Create a Jenkins instance with a persistent volume backing store
diff --git a/Jenkinsfile.kola.aws b/Jenkinsfile.kola.aws
index 1a6efeda4..717893641 100644
--- a/Jenkinsfile.kola.aws
+++ b/Jenkinsfile.kola.aws
@@ -48,6 +48,7 @@ podTemplate(cloud: 'openshift', label: 'coreos-assembler', yaml: pod, defaultCon
 
         stage('AWS Kola Run') {
           utils.shwrap("""
+          export AWS_CONFIG_FILE=\${AWS_FCOS_KOLA_BOT_CONFIG}
           kola run -p aws --aws-ami ${ami} --aws-region ${ami_region} -b fcos -j 10 || :
           tar -cf - _kola_temp/ | xz -c9 > _kola_temp.tar.xz
           """)
diff --git a/manifests/pod.yaml b/manifests/pod.yaml
index ad09ad032..949621415 100644
--- a/manifests/pod.yaml
+++ b/manifests/pod.yaml
@@ -20,12 +20,17 @@ spec:
      env:
        - name: AWS_FCOS_BUILDS_BOT_CONFIG
          value: /.aws-fcos-builds-bot-config/config
+       - name: AWS_FCOS_KOLA_BOT_CONFIG
+         value: /.aws-fcos-kola-bot-config/config
      volumeMounts:
      - name: data
        mountPath: /srv/
      - name: aws-fcos-builds-bot-config
        mountPath: /.aws-fcos-builds-bot-config/
        readOnly: true
+     - name: aws-fcos-kola-bot-config
+       mountPath: /.aws-fcos-kola-bot-config/
+       readOnly: true
      - name: github-token
        mountPath: /.github
        readOnly: true
@@ -42,6 +47,11 @@ spec:
     secret:
       secretName: aws-fcos-builds-bot-config
       optional: true
+  # This secret is used for running aws kola tests
+  - name: aws-fcos-kola-bot-config
+    secret:
+      secretName: aws-fcos-kola-bot-config
+      optional: true
   - name: github-token
     secret:
       secretName: coreosbot-github-token
diff --git a/manifests/sleep.yaml b/manifests/sleep.yaml
index 777ac72f0..88db077fe 100644
--- a/manifests/sleep.yaml
+++ b/manifests/sleep.yaml
@@ -15,12 +15,17 @@ spec:
      env:
        - name: AWS_FCOS_BUILDS_BOT_CONFIG
          value: /.aws-fcos-builds-bot-config/config
+       - name: AWS_FCOS_KOLA_BOT_CONFIG
+         value: /.aws-fcos-kola-bot-config/config
      volumeMounts:
      - name: data
        mountPath: /srv/
      - name: aws-fcos-builds-bot-config
        mountPath: /.aws-fcos-builds-bot-config/
        readOnly: true
+     - name: aws-fcos-kola-bot-config
+       mountPath: /.aws-fcos-kola-bot-config/
+       readOnly: true
      securityContext:
        privileged: false
   volumes:
@@ -32,3 +37,8 @@ spec:
     secret:
       secretName: aws-fcos-builds-bot-config
       optional: true
+  # This secret is used for running aws kola tests
+  - name: aws-fcos-kola-bot-config
+    secret:
+      secretName: aws-fcos-kola-bot-config
+      optional: true