diff --git a/Makefile b/Makefile index e384bc5a6d3ec..41dd047eb8349 100644 --- a/Makefile +++ b/Makefile @@ -286,11 +286,11 @@ azure: $(MAKE) apply WHAT=projects/azure/cluster-wide.yaml $(MAKE) apply WHAT=projects/azure/rbac.yaml # ci namespace objects - oc create secret generic cluster-secrets-azure --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f - + oc create secret generic cluster-secrets-azure-file --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f - oc create configmap prow-job-cluster-launch-e2e-azure --from-file=ci-operator/templates/cluster-launch-e2e-azure.yaml -o yaml --dry-run | oc apply -n ci -f - # azure namespace objects - oc create secret generic cluster-secrets-azure --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f - + oc create secret generic cluster-secrets-azure-env --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f - oc create secret generic aws-reg-master --from-literal=username=${AWS_REG_USERNAME} --from-literal=password=${AWS_REG_PASSWORD} -o yaml --dry-run | oc apply -n azure -f - oc create secret generic hmac-token --from-literal=hmac=${HMAC_TOKEN} -o yaml --dry-run | oc apply -n azure -f - oc create secret generic oauth-token --from-literal=oauth=${OAUTH_TOKEN} -o yaml --dry-run | oc apply -n azure -f - diff --git a/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-postsubmits.yaml b/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-postsubmits.yaml index f35f90fc54770..c96700b4da7a3 100644 --- a/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-postsubmits.yaml +++ b/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-postsubmits.yaml @@ -37,17 +37,17 @@ postsubmits: name: job-definition subPath: cluster-launch-e2e-azure.yaml - mountPath: /usr/local/e2e-azure-secret - name: cluster-secrets-azure + name: cluster-secrets-azure-file serviceAccountName: ci-operator volumes: - configMap: name: prow-job-cluster-launch-e2e-azure name: job-definition - - name: cluster-secrets-azure + - name: cluster-secrets-azure-file projected: sources: - secret: - name: cluster-secrets-azure + name: cluster-secrets-azure-file - agent: kubernetes branches: - master @@ -86,14 +86,14 @@ postsubmits: name: job-definition subPath: cluster-launch-e2e-azure-upgrade.yaml - mountPath: /usr/local/e2e-azure-secret - name: cluster-secrets-azure + name: cluster-secrets-azure-file serviceAccountName: ci-operator volumes: - configMap: name: prow-job-cluster-launch-e2e-azure-upgrade name: job-definition - - name: cluster-secrets-azure + - name: cluster-secrets-azure-file projected: sources: - secret: - name: cluster-secrets-azure + name: cluster-secrets-azure-file diff --git a/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-presubmits.yaml b/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-presubmits.yaml index d4130b46847c3..d0dfe16bb47ed 100644 --- a/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-presubmits.yaml +++ b/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-presubmits.yaml @@ -44,17 +44,17 @@ presubmits: name: job-definition subPath: cluster-launch-e2e-azure.yaml - mountPath: /usr/local/e2e-azure-secret - name: cluster-secrets-azure + name: cluster-secrets-azure-file serviceAccountName: ci-operator volumes: - configMap: name: prow-job-cluster-launch-e2e-azure name: job-definition - - name: cluster-secrets-azure + - name: cluster-secrets-azure-file projected: sources: - secret: - name: cluster-secrets-azure + name: cluster-secrets-azure-file trigger: ((?m)^/test( all| e2e),?(\s+|$)) - agent: kubernetes always_run: true @@ -166,17 +166,17 @@ presubmits: name: job-definition subPath: cluster-launch-e2e-azure-upgrade.yaml - mountPath: /usr/local/e2e-azure-secret - name: cluster-secrets-azure + name: cluster-secrets-azure-file serviceAccountName: ci-operator volumes: - configMap: name: prow-job-cluster-launch-e2e-azure-upgrade name: job-definition - - name: cluster-secrets-azure + - name: cluster-secrets-azure-file projected: sources: - secret: - name: cluster-secrets-azure + name: cluster-secrets-azure-file trigger: ((?m)^/test upgrade,?(\s+|$)) - agent: kubernetes always_run: false @@ -226,15 +226,15 @@ presubmits: name: job-definition subPath: cluster-launch-e2e-azure-conformance.yaml - mountPath: /usr/local/e2e-azure-secret - name: cluster-secrets-azure + name: cluster-secrets-azure-file serviceAccountName: ci-operator volumes: - configMap: name: prow-job-cluster-launch-e2e-azure-conformance name: job-definition - - name: cluster-secrets-azure + - name: cluster-secrets-azure-file projected: sources: - secret: - name: cluster-secrets-azure + name: cluster-secrets-azure-file trigger: ((?m)^/test conformance,?(\s+|$)) diff --git a/projects/azure/README.md b/projects/azure/README.md index 3e30be9f22c4a..46fa69f9a7924 100644 --- a/projects/azure/README.md +++ b/projects/azure/README.md @@ -10,7 +10,7 @@ Prow configuration is located in this repository `ci-operator/jobs/openshift/ope To run CI-Operator job manually you need to have to have [CI-Operator](https://github.com/openshift/ci-operator) installed in your path. Modify secret location in file `cluster-launch-e2e-azure.yaml` as below. This is because `ci-operator` set secret based on path where files are located and they are different in local development and CI server. -``` - name: cluster-secrets-azure +``` - name: cluster-secrets-azure-file secret: secretName: azure ``` @@ -25,6 +25,15 @@ ci-operator --config ci-operator/config/openshift/openshift-azure/master.yaml -- # Secret rotation +We use 2 types of secrets. Both of them contain the same data but in a different formats. + +``` +-file - file based secret. It can be sourced by script (see ci-operator jobs code) +-env - environment based secret. It can be injected to pod using pod spec (see azure-purge code) +``` + +## File secret + OSA jobs are using `Web API App` credentials on Azure to run jobs. If for some reason you need to rotate secret, follow this process: 1. Go to `Azure Active Directory` -> `App Registrations` -> `ci-operator-jobs` -> `Settings` -> `Keys` @@ -41,24 +50,26 @@ export AZURE_SUBSCRIPTION_ID= 4. Create a secret ``` -oc create secret generic cluster-secrets-azure --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f - +oc create secret generic cluster-secrets-azure-file --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f - ``` 5. (Optional, if you dont have access to CI namespace) ``` -oc apply secret generic cluster-secrets-azure-temp --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n azure -f - +oc apply secret generic cluster-secrets-azure-file --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n azure -f - ``` and ask somebody, who has access to execute: ``` -oc get secret cluster-secrets-azure-temp --export -n azure -o yaml | sed 's/cluster-secrets-azure-temp/cluster-secrets-azure/g' | oc apply -f - -n ci +oc get secret cluster-secrets-azure-file --export -n azure -o yaml | oc apply -f - -n ci ``` -6. Do the same for azure secret. It has slightly different format: +## Env secret + +Rotate azure env secret: ``` source ./cluster/test-deploy/azure/secret -oc create secret generic cluster-secrets-azure --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f - +oc create secret generic cluster-secrets-azure-env --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f - ``` diff --git a/projects/azure/azure-purge/cronjob.yaml b/projects/azure/azure-purge/cronjob.yaml index a1ac4ab2eea83..22b0b9c7ff04f 100644 --- a/projects/azure/azure-purge/cronjob.yaml +++ b/projects/azure/azure-purge/cronjob.yaml @@ -22,21 +22,21 @@ spec: - name: AZURE_TENANT_ID valueFrom: secretKeyRef: - name: cluster-secrets-azure + name: cluster-secrets-azure-env key: azure_tenant_id - name: AZURE_SUBSCRIPTION_ID valueFrom: secretKeyRef: - name: cluster-secrets-azure + name: cluster-secrets-azure-env key: azure_subscription_id - name: AZURE_CLIENT_ID valueFrom: secretKeyRef: - name: cluster-secrets-azure + name: cluster-secrets-azure-env key: azure_client_id - name: AZURE_CLIENT_SECRET valueFrom: secretKeyRef: - name: cluster-secrets-azure + name: cluster-secrets-azure-env key: azure_client_secret restartPolicy: Never