From cab8385335e55fd54693878c6794c2327d6d268d Mon Sep 17 00:00:00 2001 From: Artem Goncharov Date: Mon, 16 Sep 2024 15:39:41 +0200 Subject: [PATCH] Use zuul-scs-jobs role for access jobs The base jobs generates wrapper vault approle secret for the role containing the project name. In the case of access jobs we cannot do it this way and should use the global project name. Signed-off-by: Artem Goncharov --- playbooks/openstack/pre.yaml | 4 ++++ zuul.d/jobs.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/playbooks/openstack/pre.yaml b/playbooks/openstack/pre.yaml index 395819a..e85f1c8 100644 --- a/playbooks/openstack/pre.yaml +++ b/playbooks/openstack/pre.yaml @@ -8,6 +8,10 @@ vault_role_name: "{{ zuul_vault.vault_role_name }}" roles: + # Create a new AppRole secret for the zuul-scs-jobs AppRole + - role: create-vault-approle-secret + + # Unwrap secret and exchange it for the Vault access token - role: create-vault-approle-token vault_role_id: "{{ zuul_vault.vault_role_id }}" vault_wrapping_token_id: "{{ lookup('file', vault_secret_dest) }}" diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 5835248..fe9973e 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -50,6 +50,8 @@ post-run: playbooks/openstack/post.yaml semaphores: - semaphore-openstack-access + allowed-projects: + - sovereigncloudstack/zuul-jobs vars: cloud: "gx-scs-zuul" vault_cloud_secret_path: "clouds/gx_scs_k8s_e2e"