ZO-4519: Retrieve credentials from vault instead of hardcoding them

ZeitOnline · Jan 25, 2024 · 817c60b · 817c60b
1 parent 81f416d
commit 817c60b
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 8 deletions.
diff --git a/.github/workflows/nightwatch.yaml b/.github/workflows/nightwatch.yaml
@@ -18,7 +18,20 @@ jobs:
     secrets: inherit
     with:
       versions: smoketest/k8s/base/versions
+      # copy&paste from k8s/base and k8s/staging manifest;
+      # the json/shell quoting is atrocious.
       args: |
-        --overrides='{ "spec": { "serviceAccount": "baseproject" } }' --env="HTTPS_PROXY=http://static-ip-proxy.ops.zeit.de:3128"
+        --override-type=strategic --overrides="{\"spec\": {
+          \"serviceAccount\": \"baseproject\",
+          \"containers\": [{
+            \"name\": \"nightwatch-test-$TAG\",
+            \"env\": [
+                {\"name\": \"HTTPS_PROXY\", \"value\": \"http://static-ip-proxy.ops.zeit.de:3128\"},
+                {\"name\": \"VIVI_XMLRPC_PASSWORD\", \"valueFrom\": {\"secretKeyRef\": {
+                  \"name\": \"principals\",
+                  \"key\": \"vivi_zeit.cms.principals_system.nightwatch\"
+                }}}
+            ]
+          }] }}"
 
   # deploy happens via flux (on `main` branch)
diff --git a/bin/test b/bin/test
@@ -2,6 +2,19 @@
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
+function vault_read() {
+    local path=$1
+    local field=$2
+
+    if [[ -z "$VAULT_TOKEN" ]]; then
+        VAULT_TOKEN=$(<"$HOME/.vault-token")
+    fi
+    curl --silent -H "X-Vault-Token: $VAULT_TOKEN" \
+         "${VAULT_ADDR%/}/v1/zon/v1/${path}" | \
+        sed -e "s+^.*\"${field}\":\"\([^\"]*\).*$+\1+"
+}
+
+
 COMMAND=$1
 case $COMMAND in
     smoke)
@@ -16,11 +29,13 @@ case $COMMAND in
 
         cd "$DIR/../smoketest"
 
-        image=$(awk -F': ' '$2 == "nightwatch" { l=NR } l && NR==l+1 { print $2 }' \
+        image=$(awk -F': ' '/^  newName:/ { print $2 }' \
                 < k8s/base/kustomization.yaml)
         docker buildx build --output type=docker --quiet --tag $image .
-        docker run --rm ${interactive} $image \
-               --nightwatch-environment=$environment "$@"
+        docker run --rm -it \
+            -e VIVI_XMLRPC_PASSWORD=$(vault_read vivi/$environment/nightwatch password) \
+            $image \
+            --nightwatch-environment=$environment "$@"
         ;;
     *)
         echo "Unrecognized command: $COMMAND"

diff --git a/smoketest/conftest.py b/smoketest/conftest.py
@@ -1,12 +1,13 @@
 from io import BytesIO
 from urllib.parse import urlparse
+import os
 import xmlrpc.client
 
 import pytest
 import webdav3.client
 
 
-XMLRPC_AUTH = 'nightwatch:FecOdyuecl4OdAgosLong$'
+XMLRPC_AUTH = 'nightwatch:' + os.environ['VIVI_XMLRPC_PASSWORD']
 CONFIG_STAGING = {
     'browser': {'baseurl': 'https://www.staging.zeit.de'},
     'vivi': {

diff --git a/smoketest/k8s/base/kustomization.yaml b/smoketest/k8s/base/kustomization.yaml
@@ -5,6 +5,20 @@ components:
 - github.com/ZeitOnline/kustomize/components/nightwatch?ref=1.3
 - versions
 
+patches:
+- target:
+    kind: Deployment
+    name: nightwatch
+  patch: |
+    - op: add
+      path: /spec/template/spec/containers/0/env
+      value:
+        - name: VIVI_XMLRPC_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: principals
+              key: vivi_zeit.cms.principals_system.nightwatch
+
 # See https://github.com/ZeitOnline/gh-action-workflows/blob/main/.github/workflows/nightwatch-build.yaml
 images:
 - name: nightwatch

diff --git a/smoketest/k8s/staging/kustomization.yaml b/smoketest/k8s/staging/kustomization.yaml
@@ -10,7 +10,7 @@ patches:
     name: nightwatch
   patch: |-
     - op: add
-      path: /spec/template/spec/containers/0/env
+      path: /spec/template/spec/containers/0/env/-
       value:
-        - name: HTTPS_PROXY
-          value: http://static-ip-proxy.ops.zeit.de:3128
+        name: HTTPS_PROXY
+        value: http://static-ip-proxy.ops.zeit.de:3128