Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 72 additions & 12 deletions .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,9 @@
Deploy-NonProd:
runs-on: self-hosted-linux
needs: Publish
permissions:
contents: read
id-token: write # required for GitHub OIDC -> Vault
strategy:
max-parallel: 1
matrix:
Expand All @@ -129,13 +132,40 @@
- name: Setup kubectl
uses: azure/setup-kubectl@v4

# Keyless: GitHub OIDC -> Vault jwt auth. exportToken makes VAULT_TOKEN available to the mint step.
- name: Vault login (GitHub OIDC)
uses: hashicorp/vault-action@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow or composite action Medium

Unpinned 3rd party Action 'Docker Build and Push' step
Uses Step
uses 'hashicorp/vault-action' with ref 'v3', not a pinned commit hash
with:
url: https://vault.support.tools
method: jwt
path: github-actions # the jwt auth mount
role: gha-website
jwtGithubAudience: https://github.com/SupportTools # matches bound_audiences
exportToken: true # -> VAULT_TOKEN env for the next step

# Mint the short-lived (1h), namespace-scoped Kubernetes token and build a kubeconfig from it.
# The kubernetes secrets engine generates on WRITE (PUT + kubernetes_namespace), so it must be
# requested explicitly here. In-cluster runner => talk to a1-ops-prd's own apiserver + in-cluster CA.
- name: Setup Kubeconfig
env:
VAULT_ADDR: https://vault.support.tools
run: |
echo "${{ secrets.KUBECONFIG_DEV }}" | base64 -d > kubeconfig
KUBE_TOKEN=$(curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
-X PUT -d '{"kubernetes_namespace":"arc-runners-supporttools"}' \
"${VAULT_ADDR}/v1/kubernetes-onprem/creds/website" \
| jq -r '.data.service_account_token')
Comment on lines +153 to +156

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Grant create before keeping the bootstrap branch

This kubeconfig is now sourced from the Vault-issued least-privilege token, but the deploy script still treats a missing supporttools-${ENVIRONMENT} Application as recoverable by piping argocd/${ENVIRONMENT}.yaml into kubectl apply below. The new role is scoped for the existing get/patch path, so if one of the six Applications is deleted or a cluster is rebuilt, this branch now fails with an RBAC error instead of recreating it as the old kubeconfig did; the same pattern exists in Deploy-Prod. Either give the token create on those Applications or replace the branch with a clear precondition failure.

Useful? React with 👍 / 👎.

test -n "$KUBE_TOKEN" && test "$KUBE_TOKEN" != null || { echo "::error::failed to mint K8s token"; exit 1; }
echo "::add-mask::$KUBE_TOKEN"
kubectl config set-cluster onprem \
--server=https://kubernetes.default.svc:443 \
--certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
--embed-certs=true --kubeconfig=kubeconfig
kubectl config set-credentials ci --token="${KUBE_TOKEN}" --kubeconfig=kubeconfig
kubectl config set-context ci --cluster=onprem --user=ci --namespace=argocd --kubeconfig=kubeconfig
kubectl config use-context ci --kubeconfig=kubeconfig
chmod 600 kubeconfig

- name: Deploy ArgoCD Project
run: kubectl --kubeconfig kubeconfig apply -f argocd/project.yaml
# ArgoCD AppProject (argocd/project.yaml) is managed by cluster-services; the scoped CI token cannot apply AppProjects.

- name: Deploy Environment - ${{ matrix.environment }}
run: |
Expand Down Expand Up @@ -174,7 +204,7 @@
echo "Application did not become healthy in time."
exit 1
fi

- name: Check if CDN Sync is needed
id: check-sync-cdn
run: |
Expand All @@ -188,6 +218,9 @@
Deploy-Prod:
runs-on: self-hosted-linux
needs: Deploy-NonProd
permissions:
contents: read
id-token: write # required for GitHub OIDC -> Vault
strategy:
max-parallel: 1
matrix:
Expand All @@ -203,13 +236,40 @@
- name: Setup kubectl
uses: azure/setup-kubectl@v4

# Keyless: GitHub OIDC -> Vault jwt auth. exportToken makes VAULT_TOKEN available to the mint step.
- name: Vault login (GitHub OIDC)
uses: hashicorp/vault-action@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow or composite action Medium

Unpinned 3rd party Action 'Docker Build and Push' step
Uses Step
uses 'hashicorp/vault-action' with ref 'v3', not a pinned commit hash
with:
url: https://vault.support.tools
method: jwt
path: github-actions # the jwt auth mount
role: gha-website
jwtGithubAudience: https://github.com/SupportTools # matches bound_audiences
exportToken: true # -> VAULT_TOKEN env for the next step

# Mint the short-lived (1h), namespace-scoped Kubernetes token and build a kubeconfig from it.
# The kubernetes secrets engine generates on WRITE (PUT + kubernetes_namespace), so it must be
# requested explicitly here. In-cluster runner => talk to a1-ops-prd's own apiserver + in-cluster CA.
- name: Setup Kubeconfig
env:
VAULT_ADDR: https://vault.support.tools
run: |
echo "${{ secrets.KUBECONFIG_PROD }}" | base64 -d > kubeconfig
KUBE_TOKEN=$(curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
-X PUT -d '{"kubernetes_namespace":"arc-runners-supporttools"}' \
"${VAULT_ADDR}/v1/kubernetes-onprem/creds/website" \
| jq -r '.data.service_account_token')
test -n "$KUBE_TOKEN" && test "$KUBE_TOKEN" != null || { echo "::error::failed to mint K8s token"; exit 1; }
echo "::add-mask::$KUBE_TOKEN"
kubectl config set-cluster onprem \
--server=https://kubernetes.default.svc:443 \
--certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
--embed-certs=true --kubeconfig=kubeconfig
kubectl config set-credentials ci --token="${KUBE_TOKEN}" --kubeconfig=kubeconfig
kubectl config set-context ci --cluster=onprem --user=ci --namespace=argocd --kubeconfig=kubeconfig
kubectl config use-context ci --kubeconfig=kubeconfig
chmod 600 kubeconfig

- name: Deploy ArgoCD Project
run: kubectl --kubeconfig kubeconfig apply -f argocd/project.yaml
# ArgoCD AppProject (argocd/project.yaml) is managed by cluster-services; the scoped CI token cannot apply AppProjects.

- name: Deploy Environment - ${{ matrix.environment }}
run: |
Expand Down Expand Up @@ -248,34 +308,34 @@
echo "Application did not become healthy in time."
exit 1
fi

- name: Check if CDN Sync is needed
id: check-sync-cdn
run: |
if [[ "${{ matrix.environment }}" == "qas" || "${{ matrix.environment }}" == "tst" || "${{ matrix.environment }}" == "stg" || "${{ matrix.environment }}" == "prd" ]]; then
echo "synccdn=true" >> $GITHUB_OUTPUT
else
echo "synccdn=false" >> $GITHUB_OUTPUT
fi
fi

# Sync-CDN:
# runs-on: ubuntu-latest
# needs: Deploy
# if: needs.Deploy.outputs.synccdn_needed == 'true'

# steps:
# - name: Checkout repository
# uses: actions/checkout@v3
# with:
# fetch-depth: 0 # Fetch all history for proper change detection

# - name: Install AWS CLI
# run: |
# curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
# unzip awscliv2.zip
# sudo ./aws/install
# aws --version

# - name: Sync to Wasabi S3 bucket
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.WASABI_ACCESS_KEY }}
Expand Down
Loading