From 31efd43811e8d9b86f34458a8d0fd644cfa146e7 Mon Sep 17 00:00:00 2001 From: "Ch.-David Blot" Date: Fri, 26 Jun 2026 11:28:46 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=E2=9C=A8=20feat:=20add=20Vault=20+=20Friez?= =?UTF-8?q?a=20Cleanup?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- vault-frieza-clean/action.yml | 98 +++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 vault-frieza-clean/action.yml diff --git a/vault-frieza-clean/action.yml b/vault-frieza-clean/action.yml new file mode 100644 index 0000000..d1a5793 --- /dev/null +++ b/vault-frieza-clean/action.yml @@ -0,0 +1,98 @@ +name: 'Vault with Frieza Cleanup' +description: 'Log in to Vault, fetch Outscale credentials, initialize Frieza, and auto-revoke the Vault token at job completion.' + +inputs: + vault_url: + description: 'The URL for the Vault endpoint' + required: false + default: 'http://127.0.0.1:8200/' + vault_role: + description: 'Vault role for JWT/OIDC auth method' + required: true + vault_path: + description: 'The Vault path for the auth method' + required: false + default: 'github-action' + frieza_version: + description: 'Frieza version to use. Default is latest.' + required: false + default: 'latest' + clean_timeout: + description: 'Timeout when cleaning resources.' + required: false + default: '5m' + error_on_dirty: + description: 'Exit in error when the account is not clean.' + required: false + default: 'false' + ignore_cleanup_failure: + description: 'Ignore cleanup failures and continue.' + required: false + default: 'false' + providers: + description: 'List of systems (comma-separated: outscale_oapi,outscale_oos,outscale_oks,...).' + required: false + default: 'outscale_oapi' + skip_token_revocation: + description: 'Skip auto-revoking the Vault token in the post-script sequence.' + required: false + default: 'false' + osc_account: + description: "Accout alias to target" + required: true + vault_creds_type: + description: "type of role" + required: false + default: "root-creds" + +outputs: + access_key: + description: "ak" + value: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} + secret_key: + description: "sk" + value: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} + region: + description: "Outscale region used" + value: ${{ steps.import-secrets.outputs.OSC_REGION }} + +runs: + using: 'composite' + steps: + - name: ๐Ÿ”’๏ธ Import Secrets from Vault + id: import-secrets + uses: hashicorp/vault-action@v3 + with: + url: ${{ inputs.vault_url }} + method: jwt + path: ${{ inputs.vault_path }} + exportEnv: true + outputToken: true + role: ${{ inputs.vault_role }} + secrets: | + osc-${{ inputs.osc_account }}/${{ inputs.vault_creds_type }}/${{ inputs.vault_role }} access_key | OSC_ACCESS_KEY ; + osc-${{ inputs.osc_account }}/${{ inputs.vault_creds_type }}/${{ inputs.vault_role }} secret_key | OSC_SECRET_KEY ; + osc-${{ inputs.osc_account }}/config region | OSC_REGION ; + + - name: ๐Ÿงน Register Frieza Clean + uses: outscale/frieza-github-actions/frieza-clean@68ffd39d7e181f3548369e332242b329b04a3182 # Pinning to master/commit SHA + with: + access_key: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} + secret_key: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} + region: ${{ steps.import-secrets.outputs.OSC_REGION }} + frieza_version: ${{ inputs.frieza_version }} + clean_timeout: ${{ inputs.clean_timeout }} + error_on_dirty: ${{ inputs.error_on_dirty }} + ignore_cleanup_failure: ${{ inputs.ignore_cleanup_failure }} + providers: ${{ inputs.providers }} + post_script: | + if [ "${{ inputs.skip_token_revocation }}" != "true" ]; then + echo "Safe post-job phase reached. Revoking Vault token..." + vault_url_clean="${{ inputs.vault_url }}" + vault_url_clean="${vault_url_clean%/}" + + headers=(-s -X POST -H "X-Vault-Token: ${{ steps.import-secrets.outputs.vault_token }}") + curl "${headers[@]}" "$vault_url_clean/v1/auth/token/revoke-self" || echo "Token revocation skipped or failed." + else + echo "Vault token revocation is deactivated." + fi From eb7bd1e0360703d0ad355bce46029ae8d49bac04 Mon Sep 17 00:00:00 2001 From: "Ch.-David Blot" Date: Fri, 26 Jun 2026 14:06:55 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A5=20remove:=20remove=20skip=20to?= =?UTF-8?q?ken=20cleaning?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- vault-frieza-clean/action.yml | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/vault-frieza-clean/action.yml b/vault-frieza-clean/action.yml index d1a5793..c837fb2 100644 --- a/vault-frieza-clean/action.yml +++ b/vault-frieza-clean/action.yml @@ -33,10 +33,6 @@ inputs: description: 'List of systems (comma-separated: outscale_oapi,outscale_oos,outscale_oks,...).' required: false default: 'outscale_oapi' - skip_token_revocation: - description: 'Skip auto-revoking the Vault token in the post-script sequence.' - required: false - default: 'false' osc_account: description: "Accout alias to target" required: true @@ -61,7 +57,7 @@ runs: steps: - name: ๐Ÿ”’๏ธ Import Secrets from Vault id: import-secrets - uses: hashicorp/vault-action@v3 + uses: hashicorp/vault-action@v4 with: url: ${{ inputs.vault_url }} method: jwt @@ -72,7 +68,7 @@ runs: secrets: | osc-${{ inputs.osc_account }}/${{ inputs.vault_creds_type }}/${{ inputs.vault_role }} access_key | OSC_ACCESS_KEY ; osc-${{ inputs.osc_account }}/${{ inputs.vault_creds_type }}/${{ inputs.vault_role }} secret_key | OSC_SECRET_KEY ; - osc-${{ inputs.osc_account }}/config region | OSC_REGION ; + osc-${{ inputs.osc_account }}/config region | OSC_REGION - name: ๐Ÿงน Register Frieza Clean uses: outscale/frieza-github-actions/frieza-clean@68ffd39d7e181f3548369e332242b329b04a3182 # Pinning to master/commit SHA @@ -86,13 +82,6 @@ runs: ignore_cleanup_failure: ${{ inputs.ignore_cleanup_failure }} providers: ${{ inputs.providers }} post_script: | - if [ "${{ inputs.skip_token_revocation }}" != "true" ]; then - echo "Safe post-job phase reached. Revoking Vault token..." - vault_url_clean="${{ inputs.vault_url }}" - vault_url_clean="${vault_url_clean%/}" - - headers=(-s -X POST -H "X-Vault-Token: ${{ steps.import-secrets.outputs.vault_token }}") - curl "${headers[@]}" "$vault_url_clean/v1/auth/token/revoke-self" || echo "Token revocation skipped or failed." - else - echo "Vault token revocation is deactivated." - fi + curl -XPOST -sv \ + -H "X-Vault-Token: ${{ steps.import-secrets.outputs.vault_token }}" \ + http://127.0.0.1:8200/v1/auth/token/revoke-self