Retrieve secrets from Vault, fix test-provider CI (#1676)

nebari-dev · Apr 5, 2023 · ef06c1e · ef06c1e
1 parent 9d4e479
commit ef06c1e
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 34 deletions.
diff --git a/.github/workflows/test-provider.yaml b/.github/workflows/test-provider.yaml
@@ -31,26 +31,21 @@ on:
         required: true
         type: string
 
-env:
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-  ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
-
 jobs:
   test-render-providers:
     if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
     name: "Test Nebari Provider"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
     strategy:
       matrix:
         provider:
           - aws
           - azure
-          - do
+          # - do
           - gcp
           - local
           - existing
@@ -72,34 +67,68 @@ jobs:
         uses: actions/setup-python@v4
         with:
           python-version: 3.8
-      - name: Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@v0
+
+      - name: Retrieve secret from Vault
+        uses: hashicorp/vault-action@v2.5.0
+        with:
+          method: jwt
+          url: "https://quansight-public-vault-fe415d04.c219cf75.z1.hashicorp.cloud:8200"
+          namespace: "admin/quansight"
+          role: "repository-nebari-dev-nebari-role"
+          secrets: |
+            kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name | AWS_ROLE_ARN;
+            kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci project_id | PROJECT_ID;
+            kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci workload_identity_provider | GCP_WORKFLOW_PROVIDER;
+            kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci service_account_name | GCP_SERVICE_ACCOUNT;
+            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci client_id | ARM_CLIENT_ID;
+            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci tenant_id | ARM_TENANT_ID;
+            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci subscription_id | ARM_SUBSCRIPTION_ID;
+          # kv/data/repository/nebari-dev/nebari/shared_secrets DIGITALOCEAN_TOKEN | DIGITALOCEAN_TOKEN;
+
+      - name: 'Authenticate to GCP'
         if: ${{ matrix.provider == 'gcp' }}
+        uses: 'google-github-actions/auth@v1'
         with:
-          project_id: ${{ secrets.GCP_PROJECT_ID }}
-          service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }}
-      - name: Use gcloud CLI
+          token_format: access_token
+          create_credentials_file: 'true'
+          workload_identity_provider: ${{ env.GCP_WORKFLOW_PROVIDER }}
+          service_account: ${{ env.GCP_SERVICE_ACCOUNT }}
+
+      - name: Set required environment variables
         if: ${{ matrix.provider == 'gcp' }}
-        run: gcloud info
-      - name: Login to Azure
-        uses: azure/login@v1
-        if: ${{ matrix.provider == 'azure' }}
+        run: |
+          echo "GOOGLE_CREDENTIALS=${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" >> $GITHUB_ENV
+
+      - name: 'Authenticate to AWS'
+        if: ${{ matrix.provider == 'aws' }}
+        uses: aws-actions/configure-aws-credentials@v1
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-      - name: Use az CLI
+          role-to-assume: ${{ env.AWS_ROLE_ARN }}
+          role-session-name: github-action
+          aws-region: us-east-1
+
+      - name: 'Azure login'
         if: ${{ matrix.provider == 'azure' }}
-        run: az version
+        uses: azure/login@v1
+        with:
+          client-id: ${{ env.ARM_CLIENT_ID }}
+          tenant-id: ${{ env.ARM_TENANT_ID }}
+          subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
+
       - name: Install Nebari
         run: |
           pip install .[dev]
+
       - name: Nebari Initialize
         run: |
           nebari init "${{ matrix.provider }}" --project "TestProvider" --domain "${{ matrix.provider }}.nebari.dev" --auth-provider github --disable-prompt --ci-provider ${{ matrix.cicd }}
           cat "nebari-config.yaml"
+
       - name: Nebari Render
         run: |
           nebari render -c "nebari-config.yaml" -o "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment"
           cp "nebari-config.yaml" "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment/nebari-config.yaml"
+
       - name: Nebari Render Artifact
         uses: actions/upload-artifact@master
         with:

diff --git a/nebari/cli/init.py b/nebari/cli/init.py
@@ -174,15 +174,10 @@ def check_cloud_provider_creds(ctx: typer.Context, cloud_provider: str):
                 provider="Azure", link_to_docs=CREATE_AZURE_CREDS
             )
         )
-
         os.environ["ARM_CLIENT_ID"] = typer.prompt(
             "Paste your ARM_CLIENT_ID",
             hide_input=True,
         )
-        os.environ["ARM_CLIENT_SECRET"] = typer.prompt(
-            "Paste your ARM_CLIENT_SECRET",
-            hide_input=True,
-        )
         os.environ["ARM_SUBSCRIPTION_ID"] = typer.prompt(
             "Paste your ARM_SUBSCRIPTION_ID",
             hide_input=True,
@@ -191,6 +186,10 @@ def check_cloud_provider_creds(ctx: typer.Context, cloud_provider: str):
             "Paste your ARM_TENANT_ID",
             hide_input=True,
         )
+        os.environ["ARM_CLIENT_SECRET"] = typer.prompt(
+            "Paste your ARM_CLIENT_SECRET",
+            hide_input=True,
+        )
 
     return cloud_provider
 

diff --git a/nebari/provider/cloud/azure_cloud.py b/nebari/provider/cloud/azure_cloud.py
@@ -2,7 +2,7 @@
 import logging
 import os
 
-from azure.identity import EnvironmentCredential
+from azure.identity import DefaultAzureCredential
 from azure.mgmt.containerservice import ContainerServiceClient
 
 from nebari.provider.cloud.commons import filter_by_highest_supported_k8s_version
@@ -15,14 +15,10 @@
 def initiate_container_service_client():
     subscription_id = os.environ.get("ARM_SUBSCRIPTION_ID", None)
 
-    # Python SDK needs different env var names to Terraform SDK
-    for envname in ("TENANT_ID", "CLIENT_SECRET", "CLIENT_ID"):
-        azure_name = f"AZURE_{envname}"
-        if azure_name not in os.environ:
-            os.environ[azure_name] = os.environ[f"ARM_{envname}"]
+    credentials = DefaultAzureCredential()
 
     return ContainerServiceClient(
-        credential=EnvironmentCredential(), subscription_id=subscription_id
+        credential=credentials, subscription_id=subscription_id
     )