diff options
author | Dan LaManna <danlamanna@users.noreply.github.com> | 2023-09-14 11:59:25 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-14 09:59:25 -0600 |
commit | 6a249944f56ad942910b70cecb4623130ad8e14c (patch) | |
tree | 62f6eb9f99764160958b4edbe2101dfdc3ccd7f1 /share | |
parent | 6838ee6bb86e5ed7d9ac860731c9e24377c1e39d (diff) | |
download | spack-6a249944f56ad942910b70cecb4623130ad8e14c.tar.gz spack-6a249944f56ad942910b70cecb4623130ad8e14c.tar.bz2 spack-6a249944f56ad942910b70cecb4623130ad8e14c.tar.xz spack-6a249944f56ad942910b70cecb4623130ad8e14c.zip |
Add OIDC tokens to gitlab-ci jobs (#39813)
* Add OIDC tokens to gitlab-ci jobs
This should allow us to start issuing just-in-time generated
credentials for CI jobs that need to modify binary mirrors. The "aud"
claim of the token describes what the token is allowed to do. The
claim is verified against a set of rules on the IAM role using signed
information from GitLab. See spack-infrastructure for the claim
verification logic.
---------
Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
Diffstat (limited to 'share')
-rw-r--r-- | share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml | 8 | ||||
-rw-r--r-- | share/spack/gitlab/cloud_pipelines/configs/ci.yaml | 15 |
2 files changed, 23 insertions, 0 deletions
diff --git a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml index 5860210b28..2467463d81 100644 --- a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml +++ b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml @@ -69,6 +69,7 @@ default: .base-job: variables: SPACK_BUILDCACHE_DESTINATION: "s3://spack-binaries/${CI_COMMIT_REF_NAME}/${SPACK_CI_STACK_NAME}" + rules: - if: $CI_COMMIT_REF_NAME == "develop" # Pipelines on develop only rebuild what is missing from the mirror @@ -79,6 +80,7 @@ default: SPACK_REQUIRE_SIGNING: "True" AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "protected_binary_mirror" - if: $CI_COMMIT_REF_NAME =~ /^releases\/v.*/ # Pipelines on release branches always rebuild everything when: always @@ -90,6 +92,7 @@ default: SPACK_REQUIRE_SIGNING: "True" AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "protected_binary_mirror" - if: $CI_COMMIT_TAG =~ /^develop-[\d]{4}-[\d]{2}-[\d]{2}$/ || $CI_COMMIT_TAG =~ /^v.*/ # Pipelines on tags (release or dev snapshots) only copy binaries from one mirror to another when: always @@ -99,6 +102,7 @@ default: SPACK_COPY_BUILDCACHE: "s3://spack-binaries/${CI_COMMIT_REF_NAME}" AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "protected_binary_mirror" - if: $CI_COMMIT_REF_NAME =~ /^pr[\d]+_.*$/ # Pipelines on PR branches rebuild only what's missing, and do extra pruning when: always @@ -109,6 +113,7 @@ default: SPACK_PRUNE_UNTOUCHED_DEPENDENT_DEPTH: "1" AWS_ACCESS_KEY_ID: ${PR_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PR_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "pr_binary_mirror" .generate-common: stage: generate @@ -225,6 +230,9 @@ protected-publish: - curl -fLsS https://spack.github.io/keys/spack-public-binary-key.pub -o /tmp/spack-public-binary-key.pub - aws s3 cp /tmp/spack-public-binary-key.pub "${SPACK_COPY_BUILDCACHE}/build_cache/_pgp/spack-public-binary-key.pub" - spack buildcache update-index --keys "${SPACK_COPY_BUILDCACHE}" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" ######################################## # TEMPLATE FOR ADDING ANOTHER PIPELINE diff --git a/share/spack/gitlab/cloud_pipelines/configs/ci.yaml b/share/spack/gitlab/cloud_pipelines/configs/ci.yaml index ff115c9c31..5f7e904ba5 100644 --- a/share/spack/gitlab/cloud_pipelines/configs/ci.yaml +++ b/share/spack/gitlab/cloud_pipelines/configs/ci.yaml @@ -32,6 +32,9 @@ ci: CI_JOB_SIZE: "default" CI_GPG_KEY_ROOT: /mnt/key # SPACK_VERBOSE_SCRIPT: "1" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - signing-job: image: { "name": "ghcr.io/spack/notary:latest", "entrypoint": [""] } @@ -41,6 +44,9 @@ ci: - /sign.sh - aws s3 sync --exclude "*" --include "*spec.json.sig*" /tmp ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache - aws s3 cp /tmp/public_keys ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache/_pgp --recursive --exclude "*" --include "*.pub" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - copy-job: tags: ["service", "x86_64"] @@ -68,6 +74,9 @@ ci: CI_JOB_SIZE: "medium" KUBERNETES_CPU_REQUEST: "4000m" KUBERNETES_MEMORY_REQUEST: "16G" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - reindex-job: tags: ["service", "x86_64"] @@ -76,6 +85,9 @@ ci: CI_JOB_SIZE: "medium" KUBERNETES_CPU_REQUEST: "4000m" KUBERNETES_MEMORY_REQUEST: "16G" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - cleanup-job: tags: ["service"] @@ -83,6 +95,9 @@ ci: CI_JOB_SIZE: "small" KUBERNETES_CPU_REQUEST: "500m" KUBERNETES_MEMORY_REQUEST: "500M" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - noop-job: tags: ["service"] |