WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-11 10:32:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

cloud-image-uploader: Switch Azure to client certificate auth

Browse Source 
Swap out the short(ish)-lived secret for a client certificate and key.
This, unfortunately, requires a minor code change in the application so
ideally this should be rolled out to just staging, I can deploy the code
change there and double check everything works before rolling it out to
prod.

Signed-off-by: Jeremy Cline <jeremycline@linux.microsoft.com>
This commit is contained in:
Jeremy Cline
2025-11-18 15:43:37 -05:00
committed by kevin
parent 282930838c
commit 2e45debb74
3 changed files with 21 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
playbooks/openshift-apps/cloud-image-uploader.yml
View File

@@ -142,6 +142,12 @@
secret_file_key: registry-fedoraproject.key
secret_file_privatefile: "docker-registry/{{env}}/pki/private/containerstable.key"
- role: openshift/secret-file
secret_file_app: cloud-image-uploader
secret_file_secret_name: cloud-image-uploader-azure-key
secret_file_key: azure_client.key
secret_file_privatefile: "cloud-image-uploader/fedora-image-uploader{{env_suffix}}.key.pem"
- role: openshift/secret-file
secret_file_app: cloud-image-uploader
secret_file_secret_name: cloud-image-uploader-google-cloud-key

27
roles/openshift-apps/cloud-image-uploader/templates/deployment.yml.j2
View File

@@ -43,6 +43,9 @@ spec:
- name: google-cloud-key-volume
secret:
secretName: cloud-image-uploader-google-cloud-key
- name: azure-key-volume
secret:
secretName: cloud-image-uploader-azure-key
# skopeo wants the cert and key in the same directory
- name: registry-fedoraproject
projected:
@@ -57,17 +60,12 @@ spec:
imagePullPolicy: Always
workingDir: /srv/cloud-uploader/
env:
- name: AZURE_SECRET
valueFrom:
secretKeyRef:
name: azure-credentials
key: secret
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: client_id
- name: AZURE_TENANT
- name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
@@ -77,6 +75,8 @@ spec:
secretKeyRef:
name: azure-credentials
key: subscription_id
- name: AZURE_CLIENT_CERTIFICATE_PATH
value: "/etc/pki/azure/azure_client.key"
- name: FEDORA_MESSAGING_CONF
value: "/etc/fedora-messaging/azure-config.toml"
volumeMounts:
@@ -92,22 +92,20 @@ spec:
- name: fedora-messaging-cert-volume
mountPath: /etc/pki/rabbitmq/cert
readOnly: true
- name: azure-key-volume
mountPath: /etc/pki/azure/
readOnly: true
- name: azure-image-tester
image: image-registry.openshift-image-registry.svc:5000/cloud-image-uploader/fedora-image-tester:latest
imagePullPolicy: Always
workingDir: /srv/fedora-image-tester/
env:
- name: AZURE_SECRET
valueFrom:
secretKeyRef:
name: azure-credentials
key: secret
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: client_id
- name: AZURE_TENANT
- name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
@@ -117,6 +115,8 @@ spec:
secretKeyRef:
name: azure-credentials
key: subscription_id
- name: AZURE_CLIENT_CERTIFICATE_PATH
value: "/etc/pki/azure/azure_client.key"
- name: FEDORA_MESSAGING_CONF
value: "/etc/fedora-messaging/azure-tester-config.toml"
volumeMounts:
@@ -132,6 +132,9 @@ spec:
- name: fedora-messaging-cert-volume
mountPath: /etc/pki/rabbitmq/cert
readOnly: true
- name: azure-key-volume
mountPath: /etc/pki/azure/
readOnly: true
- name: aws-image-uploader
image: image-registry.openshift-image-registry.svc:5000/cloud-image-uploader/cloud-image-uploader:latest
imagePullPolicy: Always

2
roles/openshift-apps/cloud-image-uploader/templates/secret.yml.j2
View File

@@ -7,11 +7,9 @@ metadata:
app: "cloud-image-uploader"
stringData:
{% if env == 'staging' %}
secret: "{{stg_azure_secret}}"
client_id: "{{stg_azure_client_id}}"
tenant_id: "{{stg_azure_tenant_id}}"
{% else %}
secret: "{{prod_azure_secret}}"
client_id: "{{prod_azure_client_id}}"
tenant_id: "{{prod_azure_tenant_id}}"
{% endif %}