Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refresh GH action ID token during pipeline runs #1214

Merged
merged 3 commits into from
Feb 3, 2025
Merged

refresh GH action ID token during pipeline runs #1214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e77e9dd
refresh GH action ID token during pipeline runs
geoberle Jan 31, 2025
912dfa0
provide env vars to gh actions
geoberle Feb 3, 2025
aede4d2
timeout handling
geoberle Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/aro-hcp-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@
DEPLOY_ENV: dev
PERSIST: true
SKIP_CONFIRM: true
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
#AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
on:
workflow_dispatch:
pull_request:
Expand Down
12 changes: 5 additions & 7 deletions .github/workflows/environment-infra-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@
DEPLOY_ENV: ${{ inputs.deploy_env }}
SKIP_CONFIRM: true
PERSIST: true
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
#AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
on:
workflow_call:
inputs:
Expand Down Expand Up @@ -90,12 +95,8 @@
- name: 'Deploy Cluster'
run: |
cd dev-infrastructure/
az account get-access-token --output none
PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make svc
# grant GH action user access to resources
# PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make svc.dev-role-assignments
- name: 'Az CLI login again'
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
Expand All @@ -106,7 +107,6 @@
- name: 'Deploy rest'
run: |
cd dev-infrastructure/
az account get-access-token --output none
PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make svc.aks.admin-access
- name: 'CS PR check MSI'
Expand Down Expand Up @@ -154,7 +154,6 @@
- name: 'Deploy or Update'
run: |
cd dev-infrastructure/
az account get-access-token --output none
PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make mgmt
- name: 'Az CLI login again'
Expand All @@ -167,5 +166,4 @@
- name: 'Deploy rest'
run: |
cd dev-infrastructure/
az account get-access-token --output none
PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make mgmt.aks.admin-access
9 changes: 5 additions & 4 deletions .github/workflows/services-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
env:
DEPLOY_ENV: ${{ inputs.deploy_env }}
SKIP_CONFIRM: true
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
#AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
on:
workflow_call:
inputs:
Expand Down Expand Up @@ -33,8 +38,6 @@
jobs:

deploy_to_service_cluster:
env:
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
permissions:
id-token: 'write'
contents: 'read'
Expand Down Expand Up @@ -112,8 +115,6 @@
./svc-deploy.sh ${DEPLOY_ENV} cluster-service svc deploy-pr-env-deps
deploy_to_management_cluster:
env:
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
permissions:
id-token: 'write'
contents: 'read'
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/services-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@
name: ARO HCP Dev Environment Continuous Deployment
env:
DEPLOY_ENV: dev
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
#AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
on:
workflow_call:
inputs:
Expand Down
23 changes: 5 additions & 18 deletions .github/workflows/services-pr-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
env:
DEPLOY_ENV: dev
SKIP_CONFIRM: true
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
#AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
on:
pull_request:
paths:
Expand Down Expand Up @@ -33,8 +38,6 @@

jobs:
service_cluster_pr_check:
env:
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
permissions:
id-token: 'write'
contents: 'read'
Expand All @@ -47,13 +50,6 @@
- name: "install azure-cli"
uses: "Azure/ARO-HCP@main"

- name: 'Az CLI login'
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0

# Used to deploy Cluster Service
Expand Down Expand Up @@ -105,8 +101,6 @@
make metrics.dry_run
mgmt_cluster_pr_check:
env:
PRINCIPAL_ID: ${{ secrets.GHA_PRINCIPAL_ID }}
permissions:
id-token: 'write'
contents: 'read'
Expand All @@ -119,13 +113,6 @@
- name: "install azure-cli"
uses: "Azure/ARO-HCP@main"

- name: 'Az CLI login'
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0

# Used to deploy Cluster Service
Expand Down
6 changes: 6 additions & 0 deletions tooling/templatize/cmd/pipeline/run/cmd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"context"

"github.com/spf13/cobra"

"github.com/Azure/ARO-HCP/tooling/templatize/pkg/azauth"
)

func NewCommand() (*cobra.Command, error) {
Expand Down Expand Up @@ -31,5 +33,9 @@ func runPipeline(ctx context.Context, opts *RawRunOptions) error {
if err != nil {
return err
}
err = azauth.SetupAzureAuth(ctx)
if err != nil {
return err
}
return completed.RunPipeline(ctx)
}
4 changes: 2 additions & 2 deletions tooling/templatize/internal/end2end/e2e.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ import (

"gopkg.in/yaml.v2"

"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"

"github.com/Azure/ARO-HCP/tooling/templatize/pkg/azauth"
"github.com/Azure/ARO-HCP/tooling/templatize/pkg/config"
"github.com/Azure/ARO-HCP/tooling/templatize/pkg/pipeline"
)
Expand Down Expand Up @@ -112,7 +112,7 @@ func (e *e2eImpl) UseRandomRG() func() error {
if err != nil {
return err
}
cred, err := azidentity.NewDefaultAzureCredential(nil)
cred, err := azauth.GetAzureTokenCredentials()
if err != nil {
return err
}
Expand Down
8 changes: 4 additions & 4 deletions tooling/templatize/internal/end2end/e2e_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ import (
"gotest.tools/v3/assert"

"github.com/Azure/ARO-HCP/tooling/templatize/cmd/pipeline/run"
"github.com/Azure/ARO-HCP/tooling/templatize/pkg/azauth"
"github.com/Azure/ARO-HCP/tooling/templatize/pkg/config"
"github.com/Azure/ARO-HCP/tooling/templatize/pkg/pipeline"

"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
)
Expand Down Expand Up @@ -107,7 +107,7 @@ param zoneName = 'e2etestarmdeploy.foo.bar.example.com'
subsriptionID, err := pipeline.LookupSubscriptionID(context.Background(), "ARO Hosted Control Planes (EA Subscription 1)")
assert.NilError(t, err)

cred, err := azidentity.NewDefaultAzureCredential(nil)
cred, err := azauth.GetAzureTokenCredentials()
assert.NilError(t, err)

zonesClient, err := armdns.NewZonesClient(subsriptionID, cred, nil)
Expand Down Expand Up @@ -314,7 +314,7 @@ resource newRG 'Microsoft.Resources/resourceGroups@2024-03-01' = {
subsriptionID, err := pipeline.LookupSubscriptionID(context.Background(), "ARO Hosted Control Planes (EA Subscription 1)")
assert.NilError(t, err)

cred, err := azidentity.NewDefaultAzureCredential(nil)
cred, err := azauth.GetAzureTokenCredentials()
assert.NilError(t, err)

rgClient, err := armresources.NewResourceGroupsClient(subsriptionID, cred, nil)
Expand Down Expand Up @@ -354,7 +354,7 @@ param zoneName = 'e2etestarmdeploy.foo.bar.example.com'
subsriptionID, err := pipeline.LookupSubscriptionID(context.Background(), "ARO Hosted Control Planes (EA Subscription 1)")
assert.NilError(t, err)

cred, err := azidentity.NewDefaultAzureCredential(nil)
cred, err := azauth.GetAzureTokenCredentials()
assert.NilError(t, err)

zonesClient, err := armdns.NewZonesClient(subsriptionID, cred, nil)
Expand Down
7 changes: 4 additions & 3 deletions tooling/templatize/pkg/aks/admin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,15 @@ import (

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
armauthorization "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3"
"github.com/google/uuid"
auth "github.com/microsoft/kiota-authentication-azure-go"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"

"github.com/Azure/ARO-HCP/tooling/templatize/pkg/azauth"
)

const (
Expand Down Expand Up @@ -99,7 +100,7 @@ func getCurrentUserObjectID(ctx context.Context) (string, error) {
}

// Create a Graph client using Azure Credentials
cred, err := azidentity.NewDefaultAzureCredential(nil)
cred, err := azauth.GetAzureTokenCredentials()
if err != nil {
return "", fmt.Errorf("failed to obtain a credential: %w", err)
}
Expand Down Expand Up @@ -130,7 +131,7 @@ func getCurrentUserObjectID(ctx context.Context) (string, error) {

func assignClusterAdminRBACRole(ctx context.Context, subscriptionID, resourceGroupName, aksClusterName, userObjectID, roleID string) error {
// Create a new Azure identity client
cred, err := azidentity.NewDefaultAzureCredential(nil)
cred, err := azauth.GetAzureTokenCredentials()
if err != nil {
return fmt.Errorf("failed to obtain a credential: %w", err)
}
Expand Down
5 changes: 3 additions & 2 deletions tooling/templatize/pkg/aks/kubeconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ import (
"os"
"os/exec"

"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice"

"github.com/Azure/ARO-HCP/tooling/templatize/pkg/azauth"
)

func GetKubeConfig(ctx context.Context, subscriptionID, resourceGroupName, aksClusterName string) (string, error) {
Expand All @@ -16,7 +17,7 @@ func GetKubeConfig(ctx context.Context, subscriptionID, resourceGroupName, aksCl
}

// Create a new Azure identity client
cred, err := azidentity.NewDefaultAzureCredential(nil)
cred, err := azauth.GetAzureTokenCredentials()
if err != nil {
return "", fmt.Errorf("failed to obtain a credential: %v", err)
}
Expand Down
37 changes: 37 additions & 0 deletions tooling/templatize/pkg/azauth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
package azauth

import (
"context"
"fmt"

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
)

func SetupAzureAuth(ctx context.Context) error {
if githubAuthSupported() {
err := setupGithubAzureFederationAuthRefresher(ctx)
if err != nil {
return fmt.Errorf("failed to setup GitHub Azure Federation Auth Refresher: %w", err)
}
}
return nil
}

func GetAzureTokenCredentials() (azcore.TokenCredential, error) {
azCLI, err := azidentity.NewAzureCLICredential(nil)
if err != nil {
return nil, err
}

def, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
return nil, err
}

chain, err := azidentity.NewChainedTokenCredential([]azcore.TokenCredential{azCLI, def}, nil)
if err != nil {
return nil, err
}
return chain, nil
}
Loading
Loading