CI - Use License Key and API Key Secrets from Vault (#26)

* Enable secrets mode on verify pipelines, which apparently works on ruby3.0 image anyway on coverage pipeline Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Fetch chef licensing server and API key from vault, linux implementation Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Fetch chef licensing server and API key from vault, windows implementation Signed-off-by: Sonu Saha <sonu.saha@progress.com> * Add diagnostic to test whether API key has been set and exit if not Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Secrets missed on two jobs Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add diagnostic to test whether API key has been set on windows Signed-off-by: Sonu Saha <sonu.saha@progress.com> * Add license key to env var list and gate verify pipeline on it Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> --------- Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> Signed-off-by: Sonu Saha <sonu.saha@progress.com> Co-authored-by: Sonu Saha <sonu.saha@progress.com>
2024-11-10 07:04:15 +00:00 · 2023-03-23 14:47:02 -04:00 · 2023-03-23 14:47:02 -04:00 · d8200f8539
commit d8200f8539
parent efc65b3baf
3 changed files with 88 additions and 7 deletions
--- a/.expeditor/buildkite/verify.ps1
+++ b/.expeditor/buildkite/verify.ps1
@ -4,6 +4,68 @@ Get-CimInstance Win32_OperatingSystem | Select-Object $Properties | Format-Table
 ruby -v
 bundle --version

+echo "--- download and install vault"
+# Define the version of Vault to install
+$VaultVersion = "1.13.0"
+
+# Define the installation directory for Vault
+$VaultDirectory = "$env:USERPROFILE\Vault"
+
+# Create the installation directory if it doesn't exist
+if (!(Test-Path $VaultDirectory))
+{
+    New-Item -ItemType Directory -Path $VaultDirectory | Out-Null
+}
+
+$VaultDownloadUrl = "https://releases.hashicorp.com/vault/$VaultVersion/vault_${VaultVersion}_windows_amd64.zip"
+$VaultZipFilePath = Join-Path $VaultDirectory "vault.zip"
+
+Invoke-WebRequest -Uri $VaultDownloadUrl -OutFile $VaultZipFilePath
+
+# Extract the Vault binary from the zip file
+$VaultExtractPath = Join-Path $VaultDirectory "vault"
+Expand-Archive -Path $VaultZipFilePath -DestinationPath $VaultExtractPath
+
+# Add the Vault binary to the system PATH environment variable
+$env:Path += ";$VaultExtractPath"
+
+# Verify the installation
+echo "--- vault version installed is:"
+vault version
+
+echo "--- fetching Licensing API Keys from vault"
+$Env:CHEF_LICENSE_SERVER_API_KEY=vault kv get -field acceptance secret/inspec/licensing/api-key
+$Env:CHEF_LICENSE_SERVER=vault kv get -field acceptance secret/inspec/licensing/server
+$Env:CHEF_LICENSE_KEY=vault kv get -field acceptance secret/inspec/licensing/license-key
+
+echo "--- verifying if environment variables are set"
+
+function CheckIfEnvVarIsSet {
+  param (
+    [string]$envVarName
+  )
+  if (Test-Path "env:\$envVarName") {
+    Write-Host "  ++ $envVarName set successfully"
+  } else {
+    Write-Host "  !! $envVarName is not set."
+  }
+}
+
+$envVarName = "CHEF_LICENSE_SERVER"
+CheckIfEnvVarIsSet -envVarName $envVarName
+
+$envVarName = "CHEF_LICENSE_SERVER_API_KEY"
+CheckIfEnvVarIsSet -envVarName $envVarName
+
+$envVarName = "CHEF_LICENSE_KEY"
+CheckIfEnvVarIsSet -envVarName $envVarName
+
+if ($Env:CI_ENABLE_COVERAGE)
+{
+    echo "--- fetching Sonar token from vault"
+    $Env:SONAR_TOKEN=vault kv get -field token secret/inspec/sonar
+}
+
 echo "--- bundle install"
 bundle config set --local without deploy kitchen
 bundle install --jobs=7 --retry=3
--- a/.expeditor/buildkite/verify.sh
+++ b/.expeditor/buildkite/verify.sh
@ -20,14 +20,26 @@ mount
 df /tmp
 echo ${TMPDIR:-unknown}

-if [ -n "${CI_ENABLE_COVERAGE:-}" ]; then
-  # Fetch token from vault ASAP so that long-running tests don't cause our vault token to expire
-  echo "--- installing vault"
-  export VAULT_VERSION=1.9.3
-  export VAULT_HOME=$HOME/vault
-  curl --create-dirs -sSLo $VAULT_HOME/vault.zip https://releases.hashicorp.com/vault/$VAULT_VERSION/vault_${VAULT_VERSION}_linux_amd64.zip
-  unzip -o $VAULT_HOME/vault.zip -d $VAULT_HOME
+# Fetch tokens from vault ASAP so that long-running tests don't cause our vault token to expire
+echo "--- installing vault"
+export VAULT_VERSION=1.13.0
+export VAULT_HOME=$HOME/vault
+curl --create-dirs -sSLo $VAULT_HOME/vault.zip https://releases.hashicorp.com/vault/$VAULT_VERSION/vault_${VAULT_VERSION}_linux_amd64.zip
+unzip -o $VAULT_HOME/vault.zip -d $VAULT_HOME

+echo "--- fetching Licensing API Keys from vault"
+export CHEF_LICENSE_SERVER_API_KEY=$($VAULT_HOME/vault kv get -field acceptance secret/inspec/licensing/api-key)
+export CHEF_LICENSE_SERVER=$($VAULT_HOME/vault kv get -field acceptance secret/inspec/licensing/server)
+export CHEF_LICENSE_KEY=$($VAULT_HOME/vault kv get -field acceptance secret/inspec/licensing/license-key)
+if [ -n "${CHEF_LICENSE_KEY:-}" ]; then
+  echo "  ++ License Key set successfully"
+else
+  echo "  !! License Key not set - exiting "
+  exit 1
+fi
+
+
+if [ -n "${CI_ENABLE_COVERAGE:-}" ]; then
  echo "--- fetching Sonar token from vault"
  export SONAR_TOKEN=$($VAULT_HOME/vault kv get -field token secret/inspec/sonar)
 fi
--- a/.expeditor/verify.pipeline.yml
+++ b/.expeditor/verify.pipeline.yml
@ -13,6 +13,7 @@ steps:
    command:
      - RAKE_TASK=test:lint /workdir/.expeditor/buildkite/verify.sh
    expeditor:
+      secrets: true
      executor:
        docker:
          image: ruby:3.0
@ -21,6 +22,7 @@ steps:
    command:
      - /workdir/.expeditor/buildkite/verify.sh
    expeditor:
+      secrets: true
      executor:
        docker:
          image: ruby:2.7
@ -29,6 +31,7 @@ steps:
    command:
      - /workdir/.expeditor/buildkite/verify.sh
    expeditor:
+      secrets: true
      executor:
        docker:
          image: ruby:3.0
@ -37,6 +40,7 @@ steps:
    command:
      - /workdir/.expeditor/buildkite/verify.sh
    expeditor:
+      secrets: true
      executor:
        docker:
          image: ruby:3.1
@ -45,6 +49,7 @@ steps:
    command:
      - RAKE_TASK=test:isolated /workdir/.expeditor/buildkite/verify.sh
    expeditor:
+      secrets: true
      executor:
        docker:
          image: ruby:3.0
@ -53,6 +58,7 @@ steps:
    command:
      - RAKE_TASK=test:isolated /workdir/.expeditor/buildkite/verify.sh
    expeditor:
+      secrets: true
      executor:
        docker:
          image: ruby:3.1
@ -61,6 +67,7 @@ steps:
    command:
      - /workdir/.expeditor/buildkite/verify.ps1
    expeditor:
+      secrets: true
      executor:
        docker:
          environment: