Add OIDC tokens to gitlab-ci jobs (#39813)

* Add OIDC tokens to gitlab-ci jobs This should allow us to start issuing just-in-time generated credentials for CI jobs that need to modify binary mirrors. The "aud" claim of the token describes what the token is allowed to do. The claim is verified against a set of rules on the IAM role using signed information from GitLab. See spack-infrastructure for the claim verification logic. --------- Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
2023-09-14 11:59:25 -04:00 · 2023-09-14 11:59:25 -04:00 · 6a249944f5
commit 6a249944f5
parent 6838ee6bb8
2 changed files with 23 additions and 0 deletions
--- a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml
+++ b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml
@ -69,6 +69,7 @@ default:
 .base-job:
  variables:
    SPACK_BUILDCACHE_DESTINATION: "s3://spack-binaries/${CI_COMMIT_REF_NAME}/${SPACK_CI_STACK_NAME}"
+
  rules:
    - if: $CI_COMMIT_REF_NAME == "develop"
      # Pipelines on develop only rebuild what is missing from the mirror
@ -79,6 +80,7 @@ default:
        SPACK_REQUIRE_SIGNING: "True"
        AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
        AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
+        OIDC_TOKEN_AUDIENCE: "protected_binary_mirror"
    - if: $CI_COMMIT_REF_NAME =~ /^releases\/v.*/
      # Pipelines on release branches always rebuild everything
      when: always
@ -90,6 +92,7 @@ default:
        SPACK_REQUIRE_SIGNING: "True"
        AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
        AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
+        OIDC_TOKEN_AUDIENCE: "protected_binary_mirror"
    - if: $CI_COMMIT_TAG =~ /^develop-[\d]{4}-[\d]{2}-[\d]{2}$/ || $CI_COMMIT_TAG =~ /^v.*/
      # Pipelines on tags (release or dev snapshots) only copy binaries from one mirror to another
      when: always
@ -99,6 +102,7 @@ default:
        SPACK_COPY_BUILDCACHE: "s3://spack-binaries/${CI_COMMIT_REF_NAME}"
        AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
        AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
+        OIDC_TOKEN_AUDIENCE: "protected_binary_mirror"
    - if: $CI_COMMIT_REF_NAME =~ /^pr[\d]+_.*$/
      # Pipelines on PR branches rebuild only what's missing, and do extra pruning
      when: always
@ -109,6 +113,7 @@ default:
        SPACK_PRUNE_UNTOUCHED_DEPENDENT_DEPTH: "1"
        AWS_ACCESS_KEY_ID: ${PR_MIRRORS_AWS_ACCESS_KEY_ID}
        AWS_SECRET_ACCESS_KEY: ${PR_MIRRORS_AWS_SECRET_ACCESS_KEY}
+        OIDC_TOKEN_AUDIENCE: "pr_binary_mirror"

 .generate-common:
  stage: generate
@ -225,6 +230,9 @@ protected-publish:
    - curl -fLsS https://spack.github.io/keys/spack-public-binary-key.pub -o /tmp/spack-public-binary-key.pub
    - aws s3 cp /tmp/spack-public-binary-key.pub "${SPACK_COPY_BUILDCACHE}/build_cache/_pgp/spack-public-binary-key.pub"
    - spack buildcache update-index --keys "${SPACK_COPY_BUILDCACHE}"
+  id_tokens:
+    GITLAB_OIDC_TOKEN:
+      aud: "${OIDC_TOKEN_AUDIENCE}"

 ########################################
 # TEMPLATE FOR ADDING ANOTHER PIPELINE
--- a/share/spack/gitlab/cloud_pipelines/configs/ci.yaml
+++ b/share/spack/gitlab/cloud_pipelines/configs/ci.yaml
@ -32,6 +32,9 @@ ci:
        CI_JOB_SIZE: "default"
        CI_GPG_KEY_ROOT: /mnt/key
        # SPACK_VERBOSE_SCRIPT: "1"
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"

  - signing-job:
      image: { "name": "ghcr.io/spack/notary:latest", "entrypoint": [""] }
@ -41,6 +44,9 @@ ci:
        - /sign.sh
        - aws s3 sync --exclude "*" --include "*spec.json.sig*" /tmp ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache
        - aws s3 cp /tmp/public_keys ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache/_pgp --recursive --exclude "*" --include "*.pub"
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"

  - copy-job:
      tags: ["service", "x86_64"]
@ -68,6 +74,9 @@ ci:
        CI_JOB_SIZE: "medium"
        KUBERNETES_CPU_REQUEST: "4000m"
        KUBERNETES_MEMORY_REQUEST: "16G"
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"

  - reindex-job:
      tags: ["service", "x86_64"]
@ -76,6 +85,9 @@ ci:
        CI_JOB_SIZE: "medium"
        KUBERNETES_CPU_REQUEST: "4000m"
        KUBERNETES_MEMORY_REQUEST: "16G"
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"

  - cleanup-job:
      tags: ["service"]
@ -83,6 +95,9 @@ ci:
        CI_JOB_SIZE: "small"
        KUBERNETES_CPU_REQUEST: "500m"
        KUBERNETES_MEMORY_REQUEST: "500M"
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"

  - noop-job:
      tags: ["service"]