Skip to content
This repository has been archived by the owner on Feb 27, 2024. It is now read-only.

Commit

Permalink
chore: publishing initial code
Browse files Browse the repository at this point in the history
  • Loading branch information
Paulo Gomes da Cruz Junior committed Jan 31, 2023
0 parents commit e0b764c
Show file tree
Hide file tree
Showing 6 changed files with 406 additions and 0 deletions.
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
27 changes: 27 additions & 0 deletions .github/workflows/pr-close.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Pull Request Closed

on:
pull_request:
types:
- closed

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
# If merged into main, then handle any image promotions
image-promotions:
name: Image Promotions
if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
runs-on: ubuntu-22.04
strategy:
matrix:
package: [backend, database, frontend]
steps:
- uses: shrink/actions-docker-registry-tag@v3
with:
registry: ghcr.io
repository: ${{ github.repository }}/${{ matrix.package }}
target: ${{ github.event.number }}
tags: test
32 changes: 32 additions & 0 deletions .github/workflows/pr-open.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Pull Request

on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
retags:
permissions:
packages: write
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: Test Retags
id: broker
uses: ./
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
- name: Import Secrets
id: secrets
uses: hashicorp/[email protected]
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/dev/client/app-client/db_proxy_read_only db_username | VAULT_DB_USER;
apps/data/dev/client/app-client/db_proxy_read_only db_password | VAULT_DB_PASS;
104 changes: 104 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# Logs
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
lerna-debug.log*

# Diagnostic reports (https://nodejs.org/api/report.html)
report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json

# Runtime data
pids
*.pid
*.seed
*.pid.lock

# Directory for instrumented libs generated by jscoverage/JSCover
lib-cov

# Coverage directory used by tools like istanbul
coverage
*.lcov

# nyc test coverage
.nyc_output

# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
.grunt

# Bower dependency directory (https://bower.io/)
bower_components

# node-waf configuration
.lock-wscript

# Compiled binary addons (https://nodejs.org/api/addons.html)
build/Release

# Dependency directories
node_modules/
jspm_packages/

# TypeScript v1 declaration files
typings/

# TypeScript cache
*.tsbuildinfo

# Optional npm cache directory
.npm

# Optional eslint cache
.eslintcache

# Microbundle cache
.rpt2_cache/
.rts2_cache_cjs/
.rts2_cache_es/
.rts2_cache_umd/

# Optional REPL history
.node_repl_history

# Output of 'npm pack'
*.tgz

# Yarn Integrity file
.yarn-integrity

# dotenv environment variables file
.env
.env.test

# parcel-bundler cache (https://parceljs.org/)
.cache

# Next.js build output
.next

# Nuxt.js build / generate output
.nuxt
dist

# Gatsby files
.cache/
# Comment in the public line in if your project uses Gatsby and *not* Next.js
# https://nextjs.org/blog/next-9-1#public-directory-support
# public

# vuepress build output
.vuepress/dist

# Serverless directories
.serverless/

# FuseBox cache
.fusebox/

# DynamoDB Local files
.dynamodb/

# TernJS port file
.tern-port
150 changes: 150 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
<!-- Badges -->
[![Issues](https://img.shields.io/github/issues/bcgov-nr/action-vault-broker-approle)](/../../issues)
[![Pull Requests](https://img.shields.io/github/issues-pr/bcgov-nr/action-vault-broker-approle)](/../../pulls)
[![MIT License](https://img.shields.io/github/license/bcgov-nr/action-vault-broker-approle.svg)](/LICENSE)
[![Lifecycle](https://img.shields.io/badge/Lifecycle-Experimental-339999)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md)

# Vault Approle Token extractor through Vault Broker API

This action acquires an approle token from vault through the Broker API. This allows the team to access and generate tokens through the github action pipeline.

This is useful in CI/CD pipelines where you need to access a secret, get a vault token or anything vault related.

This tool is currently based on the existing documentation provided by 1team.

Package name: `<organization>/<repository>/<package>:<tag>`

Pull with: `docker pull ghcr.io/<organization>/<repository>/<package>:<tag>`

# Usage

```yaml
- uses: bcgov-nr/action-vault-broker-approle@main
with:
### Required

# Broker JWT Token
broker_jwt: The JWT to be used on the broker

# Role ID for Provision
provision_role_id: The id of the role to be used during provisioning

### Usually a bad idea / not recommended

# Overrides the default branch to diff against
# Defaults to the default branch, usually `main`
diff_branch: ${{ github.event.repository.default_branch }}

# Repository to clone and process
# Useful for consuming other repos, like in testing
# Defaults to the current one
repository: ${{ github.repository }}

# Broker server address
# Useful when consuming from a test server or other environment
broker_url: https://nr-broker.apps.silver.devops.gov.bc.ca

# Vault server address
# Useful when interacting with other instances of vault
vault_addr: https://vault-iit.apps.silver.devops.gov.bc.ca



```

# Example, Reading secrets

Read a secret from the vault

Create or modify a GitHub workflow, like below. E.g. `./github/workflows/pr-open.yml`

```yaml
name: Pull Request

on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
builds:
permissions:
packages: write
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: Broker
id: broker
uses: bcgov-nr/action-vault-broker-approle@main
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
- name: Import Secrets
id: secrets
uses: hashicorp/[email protected]
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/dev/super_secrets username | SECRET_USER;
apps/data/dev/super_secrets password | SECRET_PWD;
```
# Example, Matrix Token Reads
Read from multiple environments.
Create or modify a GitHub workflow, like below. E.g. `./github/workflows/pr-open.yml`

```yaml
name: Pull Request
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
builds:
permissions:
packages: write
runs-on: ubuntu-22.04
strategy:
matrix:
env: [dev, test]
steps:
- uses: actions/checkout@v3
- name: Broker
id: broker
uses: bcgov-nr/action-vault-broker-approle@main
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
- name: Import Secrets
id: secrets
uses: hashicorp/[email protected]
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/${{ matrix.env }}/super_secrets username | SECRET_USER;
apps/data/${{ matrix.env }}/super_secrets password | SECRET_PWD;
```

# Output

If a token is acquired this action will output the token value as the `vault_token`.
See examples above.


<!-- # Acknowledgements

This Action is provided courtesty of the Forestry Suite of Applications, part of the Government of British Columbia. -->
Loading

0 comments on commit e0b764c

Please sign in to comment.