Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix the templating of secret variables in github pipelines #56

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix the templating of secret variables in github pipelines #56

wants to merge 5 commits into from

Conversation

chmeliik
Copy link
Member

Adresses the TODOs in the workflow files about using the secrets list from templates/data.yaml

@chmeliik chmeliik mentioned this pull request Nov 12, 2024
Merged
chmeliik
chmeliik commented Nov 12, 2024
View reviewed changes
generated/source-repo/jenkins/Jenkinsfile Outdated Show resolved Hide resolved
generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml Outdated
Comment on lines 22 to 23
# Uncomment this when using Gitlab
# GITOPS_AUTH_USERNAME: ${{ secrets.GITOPS_AUTH_USERNAME }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's silly to include this here, so I'll think of some exclusion mechanism (maybe just ignore this one specific secret directly in the template code)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's silly to include this here, so I'll think of some exclusion mechanism (maybe just ignore this one specific secret directly in the template code)

I was thinking we automatically include if the repo is gitlab ... Its kind of a pain to have to uncomment it... We can fix automate in the generated templates
See this https://github.com/redhat-appstudio/tssc-sample-templates/blob/main/skeleton/gitops-template/components/http/overlays/development/source-repository.yaml as an example
In this repo, we have to generate this code in the jenkinsfile for use in the tssc-sample-template ( template generating code to be expanded later(
{%- if values.hostType == 'Gitlab' %}
GITOPS_AUTH_USERNAME: ${{ secrets.GITOPS_AUTH_USERNAME }}
{%- endif %}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the GH actions pipeline, so the repo is never Gitlab (which is what I meant by "it's silly to include this")

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the GH actions pipeline, so the repo is never Gitlab (which is what I meant by "it's silly to include this")

Agree.
We're talking about a two things.

  1. automatically adding the line if the repo the jenkinsfile is in fact a gitlab repo. We can do that at template generation time when we know the destination git type and the user doen't need to undo the commenting out
  2. Your point that Github should not have it - the mechanism for that in the generator is fine but the case (1) would take care of it but I agree would look silly

We should do both

@chmeliik
Copy link
Member Author

I noticed that the gitlab-ci pipelines don't set any variables explicitly, how does that work? Do all the org-wide variables just apply implicitly, even without being defined in the YAML?

@simonbaird
Copy link
Collaborator

simonbaird commented Nov 12, 2024
edited
Loading

I noticed that the gitlab-ci pipelines don't set any variables explicitly, how does that work? Do all the org-wide variables just apply implicitly, even without being defined in the YAML?

Not sure why it's inconsistent. Maybe the vars are set via the ./rhtap/env.sh file, so there's no need to set them again in the yaml.

@jduimovich
Copy link
Member

I noticed that the gitlab-ci pipelines don't set any variables explicitly, how does that work? Do all the org-wide variables just apply implicitly, even without being defined in the YAML?

Yes, gitlab variables are available by default in the pipelines. There are some options to restrict some to protected branches and for PRs and to mask or allow visible values

@jduimovich
Copy link
Member

Not sure why this is needed, in Jenkins, when you use credentials QUAY_IO_CREDS = credentials('QUAY_IO_CREDS') it creates the other two.

The code credentials ('VARIABLE_NAME') makes <VARIABLE_NAME>, <VARIABLE_NAME>_USR, <VARIABLE_NAME>_PSW
with VARIABLE_NAME being defined as the colon separated value USR:PSW

@chmeliik
Copy link
Member Author

Not sure why this is needed, in Jenkins, when you use credentials QUAY_IO_CREDS = credentials('QUAY_IO_CREDS') it creates the other two.

The code credentials ('VARIABLE_NAME') makes <VARIABLE_NAME>, <VARIABLE_NAME>_USR, <VARIABLE_NAME>_PSW with VARIABLE_NAME being defined as the colon separated value USR:PSW

In Jenkins yes, in Github no. So we either need to update templates/data.yaml with something like this:

build_secrets:
  - name: QUAY_IO_CREDS
    if: ci == "jenkins"
  - name: QUAY_IO_CREDS_USR
    if: ci != "jenkins"
  - name: QUAY_IO_CREDS_PSW
    if: ci != "jenkins"

Or stop relying on Jenkins-specific behavior

@chmeliik chmeliik force-pushed the fix-templates branch 2 times, most recently from 6512621 to bc85404 Compare November 13, 2024 10:05
@chmeliik
Copy link
Member Author

In Jenkins yes, in Github no. So we either need to update templates/data.yaml with something like this:

build_secrets:
  - name: QUAY_IO_CREDS
    if: ci == "jenkins"
  - name: QUAY_IO_CREDS_USR
    if: ci != "jenkins"
  - name: QUAY_IO_CREDS_PSW
    if: ci != "jenkins"

I gave this a shot, see if you prefer this

@chmeliik
source-repo/githubactions: template the secrets
5d3a216 
Don't hardcode the secrets, use the data from templates/data.yaml

Note: this has replaced QUAY_IO_CREDS_{USR,PSW} with QUAY_IO_CREDS.
That's not correct, to be fixed soon.

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
gitops/githubactions: template the secrets
bbfe819 
Don't hardcode the secrets, use the data from templates/data.yaml

Note that previously, the gitops pipeline used the same secrets as the
source-repo build pipeline. It probably shouldn't have.

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
templates: support 'if' clause for secrets
45f8c3a 
In templates/data.yaml, add an 'if' attribute to secrets. It can be
arbitrary javascript code and can make use of the globals set in
render.cjs in setupGlobals.

In template files, use eval_if_condition to evaluate the condition.

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
github: don't set GITOPS_AUTH_USERNAME variable
1f58e5e 
It is only used for Gitlab, it makes no sense to include it in the
Github pipeline.

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
github: fix QUAY_IO_CREDS_* variables
948dd85 
The scripts expect QUAY_IO_CREDS_USR and QUAY_IO_CREDS_PSW variables.
But templates/data.yaml defines only QUAY_IO_CREDS (which none of the
scripts use).

QUAY_IO_CREDS is a special case for Jenkins, where we create the secret
as a username+password secret. Jenkins automatically injects the _USR
and _PSW environment variables [1].

For pipelines other than Jenkins, set the required variables directly.

[1]: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#usernames-and-passwords

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik chmeliik marked this pull request as ready for review November 18, 2024 11:34
@chmeliik
Copy link
Member Author

Rebased on main, re-generated to include the TRUSTIFICATION secrets

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jduimovich jduimovich jduimovich left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chmeliik @simonbaird @jduimovich