Merge branch 'RESTAPI-994-update-ci-pipeline-to-new-vault-token' into…

… 'master' ci: use vault jwt integration See merge request firecrest/firecrest!266
eth-cscs · Jan 31, 2024 · 8fc24ef · 8fc24ef
2 parents 9f49c20 + 2a51bfd
commit 8fc24ef
Showing 1 changed file with 12 additions and 17 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -13,28 +13,19 @@ stages:          # List of stages for jobs, and their order of execution
 
 build_images:
   stage: build_images
-  id_tokens:
-    VAULT_ID_TOKEN:
-      aud: $CI_VAULT_ADDR
   rules:
     - if: '$CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)?$/ || $CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)-dev+([.][0-9]+)?$/ || $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH =~ /^RESTAPI-.{10,}$/'
   image:
     name: gcr.io/kaniko-project/executor:debug
     entrypoint: [""]
   script:
     - echo "Build images with tag ${CI_COMMIT_SHORT_SHA}"
-
-    - wget https://releases.hashicorp.com/vault/1.11.0/vault_1.11.0_linux_amd64.zip
-    - unzip vault_1.11.0_linux_amd64.zip
-    - export PATH=$PATH:$(pwd)
-    - export VAULT_ADDR="$CI_VAULT_ADDR"
-
     - mkdir -p /kaniko/.docker
     - echo '{"auths":{"'$CI_REGISTRY'":{"username":"'$CI_REGISTRY_USER'","password":"'$CI_REGISTRY_PASSWORD'"}}}' > /kaniko/.docker/config.json
     - |
 
-        # Base image for each commit″
-        /kaniko/executor --context ./ --dockerfile deploy/docker/base/Dockerfile --destination ${CI_REGISTRY_PREFIX}/f7t-base:${CI_COMMIT_SHORT_SHA} --cleanup
+        # Base image for each commit
+        /kaniko/executor --context ./ --dockerfile deploy/docker/base/Dockerfile --destination ${CI_REGISTRY_PREFIX}/f7t-base:${CI_COMMIT_SHORT_SHA} --single-snapshot
 
         # Core microservices
         for img in certificator compute reservations status storage tasks utilities; do
@@ -46,11 +37,11 @@ build_images:
 
         # build web client
         /kaniko/executor --context src/tests/template_client --dockerfile ./Dockerfile \
-        --destination ${CI_REGISTRY_PREFIX}/client:${CI_COMMIT_SHORT_SHA} --cleanup
+        --destination ${CI_REGISTRY_PREFIX}/client:${CI_COMMIT_SHORT_SHA} --cleanup --single-snapshot
 
         # build tester
         /kaniko/executor --context ./ --dockerfile deploy/docker/tester/Dockerfile \
-        --destination ${CI_REGISTRY_PREFIX}/tester:${CI_COMMIT_SHORT_SHA} --cleanup
+        --destination ${CI_REGISTRY_PREFIX}/tester:${CI_COMMIT_SHORT_SHA} --cleanup --single-snapshot
 
 
 deploy_dev:
@@ -65,7 +56,8 @@ deploy_dev:
   script:
     - echo "Deploy development environment"
     - export VAULT_ADDR="$CI_VAULT_ADDR"
-    - export VAULT_TOKEN=$CI_VAULT_TOKEN
+    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)"
+    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
     - CI_K8S_TOKEN="$(vault kv get -field=firecrest-cicd-secret firecrest/dev)"
     - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
     - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)"
@@ -168,7 +160,8 @@ cleanup_dev_deployment:
     name: ${CI_REGISTRY_PREFIX}/ci-util:latest
   script:
     - export VAULT_ADDR="$CI_VAULT_ADDR"
-    - export VAULT_TOKEN=$CI_VAULT_TOKEN
+    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)"
+    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
     - CI_K8S_TOKEN="$(vault kv get -field=firecrest-cicd-secret firecrest/dev)"
     - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
     - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)"
@@ -193,7 +186,8 @@ tag_release:
     name: ${CI_REGISTRY_PREFIX}/ci-util:latest
   script:
     - export VAULT_ADDR="$CI_VAULT_ADDR"
-    - export VAULT_TOKEN=$CI_VAULT_TOKEN
+    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)"
+    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
     - GITLAB_ACCESS_TOKEN="$(vault kv get -field=GITLAB_ACCESS_TOKEN firecrest/dev)"
     - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
 
@@ -329,7 +323,8 @@ cleanup_dev_images:
     name: ${CI_REGISTRY_PREFIX}/ci-util:latest
   script:
     - export VAULT_ADDR="$CI_VAULT_ADDR"
-    - export VAULT_TOKEN=$CI_VAULT_TOKEN
+    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)"
+    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
     - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
     - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)"
     - >