diff --git a/.github/workflows/test-provider.yaml b/.github/workflows/test-provider.yaml index b56eae90b9..58dacbf9a2 100644 --- a/.github/workflows/test-provider.yaml +++ b/.github/workflows/test-provider.yaml @@ -29,6 +29,12 @@ on: required: true type: string +env: + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} + jobs: test-render-providers: # Prevents the execution of this test under the following conditions: @@ -72,32 +78,14 @@ jobs: with: python-version: "3.11" - - name: Retrieve secret from Vault - uses: hashicorp/vault-action@v3.0.0 - with: - method: jwt - url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200" - namespace: "admin/quansight" - role: "repository-nebari-dev-nebari-role" - secrets: | - kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name | AWS_ROLE_ARN; - kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci project_id | PROJECT_ID; - kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci workload_identity_provider | GCP_WORKFLOW_PROVIDER; - kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci service_account_name | GCP_SERVICE_ACCOUNT; - kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci client_id | ARM_CLIENT_ID; - kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci tenant_id | ARM_TENANT_ID; - kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci subscription_id | ARM_SUBSCRIPTION_ID; - kv/data/repository/nebari-dev/nebari/shared_secrets SPACES_ACCESS_KEY_ID | SPACES_ACCESS_KEY_ID; - kv/data/repository/nebari-dev/nebari/shared_secrets SPACES_SECRET_ACCESS_KEY | SPACES_SECRET_ACCESS_KEY; - - name: 'Authenticate to GCP' if: ${{ matrix.provider == 'gcp' }} uses: 'google-github-actions/auth@v1' with: token_format: access_token create_credentials_file: 'true' - workload_identity_provider: ${{ env.GCP_WORKFLOW_PROVIDER }} - service_account: ${{ env.GCP_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ secrets.GCP_WORKFLOW_PROVIDER }} + service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} - name: Set required environment variables if: ${{ matrix.provider == 'gcp' }} @@ -108,7 +96,7 @@ jobs: if: ${{ matrix.provider == 'aws' }} uses: aws-actions/configure-aws-credentials@v1 with: - role-to-assume: ${{ env.AWS_ROLE_ARN }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} role-session-name: github-action aws-region: us-east-1 @@ -116,9 +104,9 @@ jobs: if: ${{ matrix.provider == 'azure' }} uses: azure/login@v1 with: - client-id: ${{ env.ARM_CLIENT_ID }} - tenant-id: ${{ env.ARM_TENANT_ID }} - subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }} + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} - name: Install Nebari run: | diff --git a/.github/workflows/test_aws_integration.yaml b/.github/workflows/test_aws_integration.yaml index a02628cd2e..731065b788 100644 --- a/.github/workflows/test_aws_integration.yaml +++ b/.github/workflows/test_aws_integration.yaml @@ -51,21 +51,10 @@ jobs: pip install .[dev] playwright install - - name: Retrieve secret from Vault - uses: hashicorp/vault-action@v3.0.0 - with: - method: jwt - url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200" - namespace: "admin/quansight" - role: "repository-nebari-dev-nebari-role" - secrets: | - kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name | AWS_ROLE_ARN; - kv/data/repository/nebari-dev/nebari/cloudflare/internal-devops@quansight.com/nebari-dev-ci token | CLOUDFLARE_TOKEN; - - name: Authenticate to AWS uses: aws-actions/configure-aws-credentials@v1 with: - role-to-assume: ${{ env.AWS_ROLE_ARN }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} role-session-name: github-action aws-region: ${{ env.AWS_DEFAULT_REGION }} diff --git a/.github/workflows/test_azure_integration.yaml b/.github/workflows/test_azure_integration.yaml index e04d8b69ab..269461f320 100644 --- a/.github/workflows/test_azure_integration.yaml +++ b/.github/workflows/test_azure_integration.yaml @@ -50,25 +50,12 @@ jobs: conda install --quiet --yes conda-build playwright install - - name: Retrieve secret from Vault - uses: hashicorp/vault-action@v3.0.0 - with: - method: jwt - url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200" - namespace: "admin/quansight" - role: "repository-nebari-dev-nebari-role" - secrets: | - kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci client_id | ARM_CLIENT_ID; - kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci tenant_id | ARM_TENANT_ID; - kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci subscription_id | ARM_SUBSCRIPTION_ID; - kv/data/repository/nebari-dev/nebari/cloudflare/internal-devops@quansight.com/nebari-dev-ci token | CLOUDFLARE_TOKEN; - - name: 'Azure login' uses: azure/login@v2 with: - client-id: ${{ env.ARM_CLIENT_ID }} - tenant-id: ${{ env.ARM_TENANT_ID }} - subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }} + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} - name: Integration Tests run: | @@ -78,8 +65,8 @@ jobs: NEBARI_SECRET__default_images__jupyterhub: "quay.io/nebari/nebari-jupyterhub:${{ env.NEBARI_IMAGE_TAG }}" NEBARI_SECRET__default_images__jupyterlab: "quay.io/nebari/nebari-jupyterlab:${{ env.NEBARI_IMAGE_TAG }}" NEBARI_SECRET__default_images__dask_worker: "quay.io/nebari/nebari-dask-worker:${{ env.NEBARI_IMAGE_TAG }}" - ARM_CLIENT_ID: ${{ env.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ env.ARM_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ env.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_USE_OIDC: "true" - CLOUDFLARE_TOKEN: ${{ env.CLOUDFLARE_TOKEN }} + CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }} diff --git a/.github/workflows/test_gcp_integration.yaml b/.github/workflows/test_gcp_integration.yaml index 0711a36196..cfb5dc22b1 100644 --- a/.github/workflows/test_gcp_integration.yaml +++ b/.github/workflows/test_gcp_integration.yaml @@ -25,6 +25,7 @@ on: env: NEBARI_IMAGE_TAG: ${{ github.event.inputs.image-tag || 'main' }} TF_LOG: ${{ github.event.inputs.tf-log-level || 'info' }} + PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} jobs: test-gcp-integration: @@ -50,24 +51,11 @@ jobs: pip install .[dev] playwright install - - name: Retrieve secret from Vault - uses: hashicorp/vault-action@v3.0.0 - with: - method: jwt - url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200" - namespace: "admin/quansight" - role: "repository-nebari-dev-nebari-role" - secrets: | - kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci project_id | PROJECT_ID; - kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci workload_identity_provider | GCP_WORKFLOW_PROVIDER; - kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci service_account_name | GCP_SERVICE_ACCOUNT; - kv/data/repository/nebari-dev/nebari/cloudflare/internal-devops@quansight.com/nebari-dev-ci token | CLOUDFLARE_TOKEN; - - name: 'Authenticate to GCP' uses: 'google-github-actions/auth@v1' with: - workload_identity_provider: ${{ env.GCP_WORKFLOW_PROVIDER }} - service_account: ${{ env.GCP_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ secrets.GCP_WORKFLOW_PROVIDER }} + service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} - name: Set required environment variables run: |