diff --git a/.github/actions/vault-secrets/action.yml b/.github/actions/vault-secrets/action.yml new file mode 100644 index 00000000..102c9635 --- /dev/null +++ b/.github/actions/vault-secrets/action.yml @@ -0,0 +1,34 @@ +name: Vault Secrets Using Teleport +description: Retrieve Hashicorp Vault secrets + +runs: + using: "composite" + steps: + - name: Authenticate against Teleport to use Vault + id: teleportapp + uses: ./actions/.github/actions/teleport + env: + TOKEN: ${{ env.TELEPORT_TOKEN }} + PROXY_URL: ${{ env.TELEPORT_PROXY_URL }} + with: + TELEPORT_APP: ${{ env.TELEPORT_APP }} + + - uses: frostebite/File-To-Base64@master + id: crtb64 + with: + filePath: ${{ steps.teleportapp.outputs.certificate-file }} + + - uses: frostebite/File-To-Base64@master + id: keyb64 + with: + filePath: ${{ steps.teleportapp.outputs.key-file }} + + - name: Import Secrets + id: import-secrets + uses: hashicorp/vault-action@v2 + with: + url: ${{ env.VAULT_ADDR }} + token: ${{ env.VAULT_TOKEN }} + clientCertificate: ${{ steps.crtb64.outputs.base64 }} + clientKey: ${{ steps.keyb64.outputs.base64 }} + secrets: ${{ env.SECRETS }} diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 7bd9acbc..fac95f80 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -112,6 +112,22 @@ on: default: 'type=gha,mode=max' description: 'Cache to.' required: false + ## Vault Secrets + VAULT_SECRETS: + type: string + default: '' + description: 'A comma separated list of secrets to fetch from Vault.' + required: false + TELEPORT_APP: + type: string + default: '' + description: 'The Teleport app to use.' + required: false + TELEPORT_PROXY_URL: + type: string + default: '' + description: 'The Teleport proxy URL to use.' + required: false secrets: DOCKERHUB_USERNAME: required: false @@ -140,6 +156,13 @@ on: BUILD_ARGS: required: false description: Whenever we wanna use secrets and mount them as env + # Vault Secrets + VAULT_TOKEN: + required: false + description: 'Vault token.' + TELEPORT_TOKEN: + required: false + description: 'Teleport token.' outputs: IMAGE_TAG: value: ${{ jobs.build.outputs.IMAGE_TAG }} @@ -219,6 +242,17 @@ jobs: # GCP_WIP: ${{ secrets.GCP_WIP }} # GCP_SA: ${{ secrets.GCP_SA }} + - name: Retrieve Secrets from HashiCorp Vault + uses: ./actions/.github/actions/vault-secrets + if: ${{ inputs.VAULT_SECRETS != '' }} + env: + VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} + VAULT_ADDR: https://${{ inputs.TELEPORT_PROXY_URL }} + TELEPORT_TOKEN: ${{ secrets.TELEPORT_TOKEN }} + TELEPORT_APP: ${{ inputs.TELEPORT_APP }} + TELEPORT_PROXY_URL: ${{ inputs.TELEPORT_PROXY_URL }} + SECRETS: ${{ inputs.VAULT_SECRETS }} + - uses: ./actions/.github/actions/docker name: Docker build id: build diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8d932fc..deb654c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -143,6 +143,22 @@ on: default: . description: Whenever the WF requires a different path than . for the revision file required: false + ## Vault Secrets + VAULT_SECRETS: + type: string + default: '' + description: 'A comma separated list of secrets to fetch from Vault.' + required: false + TELEPORT_APP: + type: string + default: '' + description: 'The Teleport app to use.' + required: false + TELEPORT_PROXY_URL: + type: string + default: '' + description: 'The Teleport proxy URL to use.' + required: false secrets: SONAR_HOST_URL: required: false @@ -167,6 +183,13 @@ on: BUILD_ARGS: required: false description: Whenever we wanna use secrets and mount them as env + # Vault Secrets + VAULT_TOKEN: + required: false + description: 'Vault token.' + TELEPORT_TOKEN: + required: false + description: 'Teleport token.' outputs: IMAGE_TAG: value: ${{ jobs.BUILD.outputs.IMAGE_TAG }} @@ -228,10 +251,15 @@ jobs: BUILD_ARGS: ${{ inputs.BUILD_ARGS }} OUTPUT_TAG_INDEX: ${{ inputs.OUTPUT_TAG_INDEX }} REVISION_PATH: ${{ inputs.REVISION_PATH }} + VAULT_SECRETS: ${{ inputs.VAULT_SECRETS }} + TELEPORT_APP: ${{ inputs.TELEPORT_APP }} + TELEPORT_PROXY_URL: ${{ inputs.TELEPORT_PROXY_URL }} secrets: GH_BOT_DEPLOY_KEY: ${{ secrets.GH_BOT_DEPLOY_KEY }} DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} DOCKER_SECRETS: ${{ secrets.DOCKER_SECRETS }} BUILD_ARGS: ${{ secrets.BUILD_ARGS }} + VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} + TELEPORT_TOKEN: ${{ secrets.TELEPORT_TOKEN }} diff --git a/.github/workflows/test-vault.yml b/.github/workflows/test-vault.yml new file mode 100644 index 00000000..eae93cac --- /dev/null +++ b/.github/workflows/test-vault.yml @@ -0,0 +1,55 @@ +name: 'Terragrunt GitHub Actions' +on: + + workflow_call: + inputs: + TELEPORT_PROXY_URL: + required: false + type: string + default: '' + description: Default Teleport URL + TELEPORT_APP: + required: false + type: string + default: '' + description: An app registered on teleport to authenticate using proxy + VAULT_SECRETS: + required: false + type: string + default: '' + description: A new line list of vault secrets to be fetched + secrets: + TELEPORT_TOKEN: + required: false + description: Teleport Token name + VAULT_TOKEN: + required: false + description: A Vault token in case vault is required + +jobs: + terragrunt: + name: 'Test vault' + runs-on: self-hosted + permissions: write-all + + steps: + - name: 'Checkout' + uses: actions/checkout@v4 + + - name: Checkout actions + uses: actions/checkout@v4 + with: + repository: signalwire/actions-template + ref: vault-secrets + path: actions + + - name: vault secrets + uses: ./actions/.github/actions/vault-secrets + env: + VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} + VAULT_ADDR: https://${{ inputs.TELEPORT_PROXY_URL }} + TELEPORT_TOKEN: ${{ secrets.TELEPORT_TOKEN }} + TELEPORT_APP: vault + TELEPORT_PROXY_URL: ${{ inputs.TELEPORT_PROXY_URL }} + SECRETS: ${{ inputs.VAULT_SECRETS }} + \ No newline at end of file