-
Notifications
You must be signed in to change notification settings - Fork 0
Vault with Frizea configuration #10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| name: 'Vault with Frieza Cleanup' | ||
| description: 'Log in to Vault, fetch Outscale credentials, initialize Frieza, and auto-revoke the Vault token at job completion.' | ||
|
|
||
| inputs: | ||
| vault_url: | ||
| description: 'The URL for the Vault endpoint' | ||
| required: false | ||
| default: 'http://127.0.0.1:8200/' | ||
| vault_role: | ||
| description: 'Vault role for JWT/OIDC auth method' | ||
| required: true | ||
| vault_path: | ||
| description: 'The Vault path for the auth method' | ||
| required: false | ||
| default: 'github-action' | ||
| frieza_version: | ||
| description: 'Frieza version to use. Default is latest.' | ||
| required: false | ||
| default: 'latest' | ||
| clean_timeout: | ||
| description: 'Timeout when cleaning resources.' | ||
| required: false | ||
| default: '5m' | ||
| error_on_dirty: | ||
| description: 'Exit in error when the account is not clean.' | ||
| required: false | ||
| default: 'false' | ||
| ignore_cleanup_failure: | ||
| description: 'Ignore cleanup failures and continue.' | ||
| required: false | ||
| default: 'false' | ||
| providers: | ||
| description: 'List of systems (comma-separated: outscale_oapi,outscale_oos,outscale_oks,...).' | ||
| required: false | ||
| default: 'outscale_oapi' | ||
| osc_account: | ||
| description: "Accout alias to target" | ||
| required: true | ||
| vault_creds_type: | ||
| description: "type of role" | ||
| required: false | ||
| default: "root-creds" | ||
|
|
||
| outputs: | ||
| access_key: | ||
| description: "ak" | ||
| value: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} | ||
| secret_key: | ||
| description: "sk" | ||
| value: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} | ||
| region: | ||
| description: "Outscale region used" | ||
| value: ${{ steps.import-secrets.outputs.OSC_REGION }} | ||
|
|
||
| runs: | ||
| using: 'composite' | ||
| steps: | ||
| - name: 🔒️ Import Secrets from Vault | ||
| id: import-secrets | ||
| uses: hashicorp/vault-action@v4 | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. a little pin ? |
||
| with: | ||
| url: ${{ inputs.vault_url }} | ||
| method: jwt | ||
| path: ${{ inputs.vault_path }} | ||
| exportEnv: true | ||
| outputToken: true | ||
| role: ${{ inputs.vault_role }} | ||
| secrets: | | ||
| osc-${{ inputs.osc_account }}/${{ inputs.vault_creds_type }}/${{ inputs.vault_role }} access_key | OSC_ACCESS_KEY ; | ||
| osc-${{ inputs.osc_account }}/${{ inputs.vault_creds_type }}/${{ inputs.vault_role }} secret_key | OSC_SECRET_KEY ; | ||
| osc-${{ inputs.osc_account }}/config region | OSC_REGION | ||
|
|
||
| - name: 🧹 Register Frieza Clean | ||
| uses: outscale/frieza-github-actions/frieza-clean@68ffd39d7e181f3548369e332242b329b04a3182 # Pinning to master/commit SHA | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. frieza-github-actions is now tagged based on frieza versions.
|
||
| with: | ||
| access_key: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} | ||
| secret_key: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} | ||
| region: ${{ steps.import-secrets.outputs.OSC_REGION }} | ||
| frieza_version: ${{ inputs.frieza_version }} | ||
| clean_timeout: ${{ inputs.clean_timeout }} | ||
| error_on_dirty: ${{ inputs.error_on_dirty }} | ||
| ignore_cleanup_failure: ${{ inputs.ignore_cleanup_failure }} | ||
| providers: ${{ inputs.providers }} | ||
| post_script: | | ||
| curl -XPOST -sv \ | ||
| -H "X-Vault-Token: ${{ steps.import-secrets.outputs.vault_token }}" \ | ||
| http://127.0.0.1:8200/v1/auth/token/revoke-self | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should pin to a frieza binary.
I would remove this input, as the frieza action is already pinned to a frieza version.
The alternative would be to pin here, but this would be hard to maintain two version pins on each frieza upgrade.