zhangyiss/spack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add OIDC tokens to gitlab-ci jobs (#39813)

Browse Source 
* Add OIDC tokens to gitlab-ci jobs

This should allow us to start issuing just-in-time generated
credentials for CI jobs that need to modify binary mirrors. The "aud"
claim of the token describes what the token is allowed to do. The
claim is verified against a set of rules on the IAM role using signed
information from GitLab. See spack-infrastructure for the claim
verification logic.

---------

Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
This commit is contained in:
Dan LaManna
2023-09-14 11:59:25 -04:00
committed by GitHub
parent 6838ee6bb8
commit 6a249944f5
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
share/spack/gitlab/cloud_pipelines/configs/ci.yaml
View File

@@ -32,6 +32,9 @@ ci:
CI_JOB_SIZE: "default"
CI_GPG_KEY_ROOT: /mnt/key
# SPACK_VERBOSE_SCRIPT: "1"
id_tokens:
GITLAB_OIDC_TOKEN:
aud: "${OIDC_TOKEN_AUDIENCE}"
- signing-job:
image: { "name": "ghcr.io/spack/notary:latest", "entrypoint": [""] }
@@ -41,6 +44,9 @@ ci:
- /sign.sh
- aws s3 sync --exclude "*" --include "*spec.json.sig*" /tmp ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache
- aws s3 cp /tmp/public_keys ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache/_pgp --recursive --exclude "*" --include "*.pub"
id_tokens:
GITLAB_OIDC_TOKEN:
aud: "${OIDC_TOKEN_AUDIENCE}"
- copy-job:
tags: ["service", "x86_64"]
@@ -68,6 +74,9 @@ ci:
CI_JOB_SIZE: "medium"
KUBERNETES_CPU_REQUEST: "4000m"
KUBERNETES_MEMORY_REQUEST: "16G"
id_tokens:
GITLAB_OIDC_TOKEN:
aud: "${OIDC_TOKEN_AUDIENCE}"
- reindex-job:
tags: ["service", "x86_64"]
@@ -76,6 +85,9 @@ ci:
CI_JOB_SIZE: "medium"
KUBERNETES_CPU_REQUEST: "4000m"
KUBERNETES_MEMORY_REQUEST: "16G"
id_tokens:
GITLAB_OIDC_TOKEN:
aud: "${OIDC_TOKEN_AUDIENCE}"
- cleanup-job:
tags: ["service"]
@@ -83,6 +95,9 @@ ci:
CI_JOB_SIZE: "small"
KUBERNETES_CPU_REQUEST: "500m"
KUBERNETES_MEMORY_REQUEST: "500M"
id_tokens:
GITLAB_OIDC_TOKEN:
aud: "${OIDC_TOKEN_AUDIENCE}"
- noop-job:
tags: ["service"]