Skip to content

Commit

Permalink
ZO-4519: Retrieve credentials from vault instead of hardcoding them
Browse files Browse the repository at this point in the history
  • Loading branch information
wosc committed Jan 24, 2024
1 parent 81f416d commit a842fd6
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 7 deletions.
14 changes: 13 additions & 1 deletion .github/workflows/nightwatch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,19 @@ jobs:
secrets: inherit
with:
versions: smoketest/k8s/base/versions
# copy&paste from k8s/base and k8s/staging manifest
args: |
--overrides='{ "spec": { "serviceAccount": "baseproject" } }' --env="HTTPS_PROXY=http://static-ip-proxy.ops.zeit.de:3128"
--override-type=strategic --overrides='{"spec": {
"serviceAccount": "baseproject",
"containers": [{
"name": "nightwatch-test-${{env.tag}}",
"env": [
{"name": "HTTPS_PROXY", "value": "http://static-ip-proxy.ops.zeit.de:3128"},
{"name": "VIVI_XMLRPC_PASSWORD", "valueFrom": {"secretKeyRef": {
"name": "principals",
"key": "vivi_zeit.cms.principals_system.nightwatch",
}}}
]
]} }'
# deploy happens via flux (on `main` branch)
19 changes: 17 additions & 2 deletions bin/test
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,19 @@

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

function vault_read() {
local path=$1
local field=$2

if [[ -z "$VAULT_TOKEN" ]]; then
VAULT_TOKEN=$(<"$HOME/.vault-token")
fi
curl --silent -H "X-Vault-Token: $VAULT_TOKEN" \
"${VAULT_ADDR%/}/v1/zon/v1/${path}" | \
sed -e "s+^.*\"${field}\":\"\([^\"]*\).*$+\1+"
}


COMMAND=$1
case $COMMAND in
smoke)
Expand All @@ -16,10 +29,12 @@ case $COMMAND in

cd "$DIR/../smoketest"

image=$(awk -F': ' '$2 == "nightwatch" { l=NR } l && NR==l+1 { print $2 }' \
image=$(awk -F': ' '/^ newName:/ { print $2 }' \
< k8s/base/kustomization.yaml)
docker buildx build --output type=docker --quiet --tag $image .
docker run --rm ${interactive} $image \
docker run --rm ${interactive} \
-e VIVI_XMLRPC_PASSWORD=$(vault_read vivi/staging/nightwatch password) \
$image \
--nightwatch-environment=$environment "$@"
;;
*)
Expand Down
3 changes: 2 additions & 1 deletion smoketest/conftest.py
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
from io import BytesIO
from urllib.parse import urlparse
import os
import xmlrpc.client

import pytest
import webdav3.client


XMLRPC_AUTH = 'nightwatch:FecOdyuecl4OdAgosLong$'
XMLRPC_AUTH = 'nightwatch:' + os.environ['VIVI_XMLRPC_PASSWORD']
CONFIG_STAGING = {
'browser': {'baseurl': 'https://www.staging.zeit.de'},
'vivi': {
Expand Down
14 changes: 14 additions & 0 deletions smoketest/k8s/base/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,20 @@ components:
- github.com/ZeitOnline/kustomize/components/nightwatch?ref=1.3
- versions

patches:
- target:
kind: Deployment
name: nightwatch
patch: |
- op: add
path: /spec/template/spec/containers/0/env
value:
- name: VIVI_XMLRPC_PASSWORD
valueFrom:
secretKeyRef:
name: principals
key: vivi_zeit.cms.principals_system.nightwatch
# See https://github.com/ZeitOnline/gh-action-workflows/blob/main/.github/workflows/nightwatch-build.yaml
images:
- name: nightwatch
Expand Down
6 changes: 3 additions & 3 deletions smoketest/k8s/staging/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ patches:
name: nightwatch
patch: |-
- op: add
path: /spec/template/spec/containers/0/env
path: /spec/template/spec/containers/0/env/-
value:
- name: HTTPS_PROXY
value: http://static-ip-proxy.ops.zeit.de:3128
name: HTTPS_PROXY
value: http://static-ip-proxy.ops.zeit.de:3128

0 comments on commit a842fd6

Please sign in to comment.