DataBiosphere · cahrens · Jul 3, 2024 · Jul 2, 2024 · Jul 2, 2024 · Jul 2, 2024
@@ -0,0 +1,33 @@
+name: 'write-credentials'
+description: |
+  Collect the needed credentials for integration testing and place them in a
+  directory named "rendered". Note that all of these secrets are
+  assumed to be base64-encoded JSON service account keys.
+inputs:
+  buffer-app-sa-b64:
+    description: 'Base64-encoded buffer (RBS) service account'
+    required: true
+  janitor-sa-b64:
+    description: 'Base64-encoded CRL Janitor service account'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Write credentials
+      id: 'setup-user-delegated-creds'
+      run: |
+        mkdir -p rendered
+
+        BUFFER_APP_SA_B64=${{ inputs.buffer-app-sa-b64 }}
+        echo ::add-mask::BUFFER_APP_SA_B64
+        BUFFER_APP_SA=$(echo $BUFFER_APP_SA_B64 | base64 --decode)
+        echo ::add-mask::$BUFFER_APP_SA
+        echo $BUFFER_APP_SA > rendered/sa-account.json  
+
+        JANITOR_SA_B64=${{ inputs.janitor-sa-b64 }}
+        echo ::add-mask::$JANITOR_SA_B64
+        JANITOR_SA=$(echo $JANITOR_SA_B64 | base64 --decode)
+        echo ::add-mask::$JANITOR_SA
+        echo $JANITOR_SA > rendered/janitor-client-sa-account.json
+      shell: bash
@@ -39,28 +39,13 @@ jobs:
         uses: ./.github/actions/bump-skip
         with:
           event-name: ${{ github.event_name }}
-      - name: Pull Vault image
+      - name: Write credentials for integration tests
         if: steps.skiptest.outputs.is-bump == 'no'
-        run: docker pull vault:1.1.0
-      # Currently, there's no way to add capabilities to Docker actions on Git, and Vault needs IPC_LOCK to run.
-      - name: Get Vault token
-        if: steps.skiptest.outputs.is-bump == 'no'
-        id: vault-token-step
-        run: |
-          VAULT_TOKEN=$(docker run --rm --cap-add IPC_LOCK \
-            -e "VAULT_ADDR=${VAULT_ADDR}" \
-            vault:1.1.0 \
-            vault write -field token \
-              auth/approle/login role_id=${{ secrets.VAULT_APPROLE_ROLE_ID }} \
-              secret_id=${{ secrets.VAULT_APPROLE_SECRET_ID }})
-          echo ::add-mask::$VAULT_TOKEN
-          echo vault-token=$VAULT_TOKEN >> $GITHUB_OUTPUT
-      - name: Grant execute permission for render-config
-        if: steps.skiptest.outputs.is-bump == 'no'
-        run: chmod +x local-dev/render-config.sh
-      - name: Render configuration for tests
-        if: steps.skiptest.outputs.is-bump == 'no'
-        run: local-dev/render-config.sh ${{ steps.vault-token-step.outputs.vault-token }}
+        id: write-credentials
+        uses: ./.github/actions/write-credentials
+        with:
+          janitor-sa-b64: ${{ secrets.JANITOR_SA_DEV }}
+          buffer-app-sa-b64: ${{ secrets.BUFFER_APP_SA_DEV }}
       - name: Initialize Postgres DB
         if: steps.skiptest.outputs.is-bump == 'no'
         env:

@@ -6,7 +6,7 @@ test {
 
 import org.gradle.api.tasks.testing.logging.TestExceptionFormat
 // This is the path to the default Google service account for the buffer service to run as.
-def googleCredentialsFile = "${projectDir}/src/test/resources/rendered/sa-account.json"
+def googleCredentialsFile = "${projectDir}/rendered/sa-account.json"
 tasks.withType(Test) {
     environment = [
             'GOOGLE_APPLICATION_CREDENTIALS': "${googleCredentialsFile}"

@@ -3,7 +3,7 @@ buffer:
     # If CRL is used in testing mode.
     testing-mode: true
     # Use in test to clean up created cloud resource.
-    janitor-client-credential-file-path: src/test/resources/rendered/janitor-client-sa-account.json
+    janitor-client-credential-file-path: rendered/janitor-client-sa-account.json
     janitor-track-resource-project-id: terra-kernel-k8s
     janitor-track-resource-topic-id: crljanitor-tools-pubsub-topic
   pool: