Skip to content

Commit

Permalink
hosts/jenkins-controller: inline get_secret.py
Browse files Browse the repository at this point in the history 
Prevent the repo and nixpkgs linter from fighting each other about
formatting.

Signed-off-by: Florian Klink <[email protected]>
  • Loading branch information
@flokli
flokli committed Dec 20, 2023
1 parent cf71bab commit 0871be7
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 34 deletions.
42 changes: 32 additions & 10 deletions hosts/jenkins-controller/configuration.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,36 @@
echo "Uploading paths" $OUT_PATHS
exec nix --extra-experimental-features nix-command copy --to 'http://localhost:8080?secret-key=/etc/secrets/nix-signing-key&compression=zstd' $OUT_PATHS
'';

get-secret =
pkgs.writers.writePython3 "get-secret" {
libraries = with pkgs.python3.pkgs; [azure-keyvault-secrets azure-identity];
} ''
"""
This script retrieves a secret specified in $SECRET_NAME
from an Azure Key Vault in $KEY_VAULT_NAME
and prints it to stdout.
It uses the default Azure credential client.
"""
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
import os
key_vault_name = os.environ["KEY_VAULT_NAME"]
secret_name = os.environ["SECRET_NAME"]
credential = DefaultAzureCredential()
client = SecretClient(
vault_url=f"https://{key_vault_name}.vault.azure.net",
credential=credential
)
s = client.get_secret(secret_name)
print(s.value)
'';
in {
imports = [
../azure-common-2.nix
Expand Down Expand Up @@ -71,11 +101,7 @@ in {
EnvironmentFile = "/var/lib/fetch-build-ssh-key/env";
Restart = "on-failure";
};
script = let
get-secret = pkgs.writers.writePython3 "get-secret" {
libraries = with pkgs.python3.pkgs; [azure-keyvault-secrets azure-identity];
} (builtins.readFile ./get_secret.py);
in ''
script = ''
umask 077
mkdir -p /etc/secrets/
${get-secret} > /etc/secrets/remote-build-ssh-key
Expand Down Expand Up @@ -127,11 +153,7 @@ in {
EnvironmentFile = "/var/lib/fetch-binary-cache-signing-key/env";
Restart = "on-failure";
};
script = let
get-secret = pkgs.writers.writePython3 "get-secret" {
libraries = with pkgs.python3.pkgs; [azure-keyvault-secrets azure-identity];
} (builtins.readFile ./get_secret.py);
in ''
script = ''
umask 077
mkdir -p /etc/secrets/
${get-secret} > /etc/secrets/nix-signing-key
Expand Down
24 changes: 0 additions & 24 deletions hosts/jenkins-controller/get_secret.py
View file

This file was deleted.

0 comments on commit 0871be7

Please sign in to comment.