Revisiting ssh-oidc config (#370)

* add security group for motley-cue * enable ssh-oidc again * pass access token to motley-cue role and pip install ansible * use python3-venv instead of python3.10-venv and do not install ansible with apt * linting * linting * Revert "linting" This reverts commit 52d3426. * linting without messing around
EGI-Federation · Sep 17, 2024 · 553eabe · 553eabe
1 parent adc040c
commit 553eabe
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 4 deletions.
diff --git a/deploy/cloud-info/main.tf b/deploy/cloud-info/main.tf
@@ -1,8 +1,24 @@
+resource "openstack_networking_secgroup_v2" "motley" {
+  name                 = "motley"
+  description          = "Open ports for motley-cue"
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "motley-8080" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 8080
+  port_range_max    = 8080
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.motley.id
+}
+
 resource "openstack_compute_instance_v2" "cloud-info" {
   name            = "cloud-info"
   image_id        = var.image_id
   flavor_id       = var.flavor_id
-  security_groups = ["default"]
+  security_groups = ["default", "motley"]
   user_data       = file("cloud-init.yaml")
   network {
     uuid = var.net_id

diff --git a/deploy/cloud-init.yaml b/deploy/cloud-init.yaml
@@ -13,11 +13,10 @@ users:
 
 packages:
   - git
-  - ansible
   - jq
   - python3-openstackclient
   - python3-pip
-  - python3.10-venv
+  - python3-venv
   - retry
 
 write_files:

diff --git a/deploy/deploy.sh b/deploy/deploy.sh
@@ -30,13 +30,25 @@ image_sync_image: "ghcr.io/egi-federation/fedcloud-image-sync:sha-$SHORT_SHA"
 site_config_dir: "$(readlink -f ../sites)"
 EOF
 
+# get access token for motley-cue
+CLIENT_ID=$(yq -r '.fedcloudops.client_id' secrets.yaml)
+CLIENT_SECRET=$(yq -r '.fedcloudops.client_secret' secrets.yaml)
+SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement"
+ACCESS_TOKEN=$(curl --request POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \
+	--data "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&scope=$SCOPE" |
+	jq -r ".access_token")
+
+# use pip-installed Ansible (apt version is too old)
+pip install ansible
+
 # install Ansible dependencies
 ansible-galaxy role install -r galaxy-requirements.yaml
 
 # Configure!
 if ansible-playbook -i inventory.yaml \
 	--extra-vars @secrets.yaml \
 	--extra-vars @extra-vars.yaml \
+	--extra-vars ACCESS_TOKEN="$ACCESS_TOKEN" \
 	--tags "$TAGS" \
 	playbook.yaml >ansible.log 2>&1; then
 	status_summary="success"

diff --git a/deploy/playbook.yaml b/deploy/playbook.yaml
@@ -7,7 +7,7 @@
         ssh_oidc_other_vos_name: cloud.egi.eu
         ssh_oidc_other_vos_role: auditor
       tags:
-        - never
+        - always
     - role: catchall
       vars:
         site_config_dir: ../sites/