summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorDan LaManna <danlamanna@users.noreply.github.com>2023-09-14 11:59:25 -0400
committerGitHub <noreply@github.com>2023-09-14 09:59:25 -0600
commit6a249944f56ad942910b70cecb4623130ad8e14c (patch)
tree62f6eb9f99764160958b4edbe2101dfdc3ccd7f1 /share
parent6838ee6bb86e5ed7d9ac860731c9e24377c1e39d (diff)
downloadspack-6a249944f56ad942910b70cecb4623130ad8e14c.tar.gz
spack-6a249944f56ad942910b70cecb4623130ad8e14c.tar.bz2
spack-6a249944f56ad942910b70cecb4623130ad8e14c.tar.xz
spack-6a249944f56ad942910b70cecb4623130ad8e14c.zip
Add OIDC tokens to gitlab-ci jobs (#39813)
* Add OIDC tokens to gitlab-ci jobs This should allow us to start issuing just-in-time generated credentials for CI jobs that need to modify binary mirrors. The "aud" claim of the token describes what the token is allowed to do. The claim is verified against a set of rules on the IAM role using signed information from GitLab. See spack-infrastructure for the claim verification logic. --------- Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
Diffstat (limited to 'share')
-rw-r--r--share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml8
-rw-r--r--share/spack/gitlab/cloud_pipelines/configs/ci.yaml15
2 files changed, 23 insertions, 0 deletions
diff --git a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml
index 5860210b28..2467463d81 100644
--- a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml
+++ b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml
@@ -69,6 +69,7 @@ default:
.base-job:
variables:
SPACK_BUILDCACHE_DESTINATION: "s3://spack-binaries/${CI_COMMIT_REF_NAME}/${SPACK_CI_STACK_NAME}"
+
rules:
- if: $CI_COMMIT_REF_NAME == "develop"
# Pipelines on develop only rebuild what is missing from the mirror
@@ -79,6 +80,7 @@ default:
SPACK_REQUIRE_SIGNING: "True"
AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
+ OIDC_TOKEN_AUDIENCE: "protected_binary_mirror"
- if: $CI_COMMIT_REF_NAME =~ /^releases\/v.*/
# Pipelines on release branches always rebuild everything
when: always
@@ -90,6 +92,7 @@ default:
SPACK_REQUIRE_SIGNING: "True"
AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
+ OIDC_TOKEN_AUDIENCE: "protected_binary_mirror"
- if: $CI_COMMIT_TAG =~ /^develop-[\d]{4}-[\d]{2}-[\d]{2}$/ || $CI_COMMIT_TAG =~ /^v.*/
# Pipelines on tags (release or dev snapshots) only copy binaries from one mirror to another
when: always
@@ -99,6 +102,7 @@ default:
SPACK_COPY_BUILDCACHE: "s3://spack-binaries/${CI_COMMIT_REF_NAME}"
AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
+ OIDC_TOKEN_AUDIENCE: "protected_binary_mirror"
- if: $CI_COMMIT_REF_NAME =~ /^pr[\d]+_.*$/
# Pipelines on PR branches rebuild only what's missing, and do extra pruning
when: always
@@ -109,6 +113,7 @@ default:
SPACK_PRUNE_UNTOUCHED_DEPENDENT_DEPTH: "1"
AWS_ACCESS_KEY_ID: ${PR_MIRRORS_AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${PR_MIRRORS_AWS_SECRET_ACCESS_KEY}
+ OIDC_TOKEN_AUDIENCE: "pr_binary_mirror"
.generate-common:
stage: generate
@@ -225,6 +230,9 @@ protected-publish:
- curl -fLsS https://spack.github.io/keys/spack-public-binary-key.pub -o /tmp/spack-public-binary-key.pub
- aws s3 cp /tmp/spack-public-binary-key.pub "${SPACK_COPY_BUILDCACHE}/build_cache/_pgp/spack-public-binary-key.pub"
- spack buildcache update-index --keys "${SPACK_COPY_BUILDCACHE}"
+ id_tokens:
+ GITLAB_OIDC_TOKEN:
+ aud: "${OIDC_TOKEN_AUDIENCE}"
########################################
# TEMPLATE FOR ADDING ANOTHER PIPELINE
diff --git a/share/spack/gitlab/cloud_pipelines/configs/ci.yaml b/share/spack/gitlab/cloud_pipelines/configs/ci.yaml
index ff115c9c31..5f7e904ba5 100644
--- a/share/spack/gitlab/cloud_pipelines/configs/ci.yaml
+++ b/share/spack/gitlab/cloud_pipelines/configs/ci.yaml
@@ -32,6 +32,9 @@ ci:
CI_JOB_SIZE: "default"
CI_GPG_KEY_ROOT: /mnt/key
# SPACK_VERBOSE_SCRIPT: "1"
+ id_tokens:
+ GITLAB_OIDC_TOKEN:
+ aud: "${OIDC_TOKEN_AUDIENCE}"
- signing-job:
image: { "name": "ghcr.io/spack/notary:latest", "entrypoint": [""] }
@@ -41,6 +44,9 @@ ci:
- /sign.sh
- aws s3 sync --exclude "*" --include "*spec.json.sig*" /tmp ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache
- aws s3 cp /tmp/public_keys ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache/_pgp --recursive --exclude "*" --include "*.pub"
+ id_tokens:
+ GITLAB_OIDC_TOKEN:
+ aud: "${OIDC_TOKEN_AUDIENCE}"
- copy-job:
tags: ["service", "x86_64"]
@@ -68,6 +74,9 @@ ci:
CI_JOB_SIZE: "medium"
KUBERNETES_CPU_REQUEST: "4000m"
KUBERNETES_MEMORY_REQUEST: "16G"
+ id_tokens:
+ GITLAB_OIDC_TOKEN:
+ aud: "${OIDC_TOKEN_AUDIENCE}"
- reindex-job:
tags: ["service", "x86_64"]
@@ -76,6 +85,9 @@ ci:
CI_JOB_SIZE: "medium"
KUBERNETES_CPU_REQUEST: "4000m"
KUBERNETES_MEMORY_REQUEST: "16G"
+ id_tokens:
+ GITLAB_OIDC_TOKEN:
+ aud: "${OIDC_TOKEN_AUDIENCE}"
- cleanup-job:
tags: ["service"]
@@ -83,6 +95,9 @@ ci:
CI_JOB_SIZE: "small"
KUBERNETES_CPU_REQUEST: "500m"
KUBERNETES_MEMORY_REQUEST: "500M"
+ id_tokens:
+ GITLAB_OIDC_TOKEN:
+ aud: "${OIDC_TOKEN_AUDIENCE}"
- noop-job:
tags: ["service"]