Skip to content

Commit

Permalink
Merge pull request #11 from acaire/add_render_command
Browse files Browse the repository at this point in the history
Add render command
  • Loading branch information
pzeballos authored Jul 18, 2024
2 parents bc251de + 09c98b3 commit d9d647e
Show file tree
Hide file tree
Showing 5 changed files with 65 additions and 0 deletions.
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ steps:

- The time (in seconds) the OIDC token will be valid for before expiry. Must be a non-negative integer. If the flag is omitted or set to 0, the API will choose a default finite lifetime. (default: 0)

### `render-command` (string)

- An installed binary that when specified, will run twice to process the values of `audience` and `service-account` via stdin. This is intended to be used to render environment variables with an application such as `envsubst`. (default: '')

## Developing

To run testing, shellchecks and plugin linting use use `bk run` with the [Buildkite CLI](https://github.com/buildkite/cli).
Expand Down
10 changes: 10 additions & 0 deletions hooks/pre-command
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,16 @@ if [[ -z "${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT:-}
exit 1
fi

if [[ -n "${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_RENDER_COMMAND:-}" ]]; then
# Test that the given command exists, otherwise fail
command -v "${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_RENDER_COMMAND}" || {
echo "🚨 Render command file '${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_RENDER_COMMAND}' not found"
exit 1
}
BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_AUDIENCE="$(echo "${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_AUDIENCE}" | ${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_RENDER_COMMAND})"
BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT="$(echo "${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT}" | ${BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_RENDER_COMMAND})"
fi

# Create a temporary directory with both BSD and GNU mktemp
TMPDIR=$(mktemp -d 2>/dev/null || mktemp -d -t 'buildkiteXXXX')

Expand Down
2 changes: 2 additions & 0 deletions plugin.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ configuration:
type: string
lifetime:
type: number
render-command:
type: string
required:
- audience
- service-account
Expand Down
45 changes: 45 additions & 0 deletions tests/pre-command.bats
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,16 @@ setup() {
assert_failure
}

@test "fails when render command has non-existent binary" {
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_AUDIENCE="//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/buildkite-example-pipeline/providers/buildkite"
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT="buildkite-example-pipeline@oidc-project.iam.gserviceaccount.com"
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_RENDER_COMMAND="this-file-purposely-does-not-exist"

run "$PWD/hooks/pre-command"

assert_failure
}

@test "succeeds when mktemp fails once" {
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_AUDIENCE="//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/buildkite-example-pipeline/providers/buildkite"
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT="buildkite-example-pipeline@oidc-project.iam.gserviceaccount.com"
Expand Down Expand Up @@ -83,3 +93,38 @@ JSON)
unstub mktemp
unstub buildkite-agent
}
@test "exports credentials with render command using envsubst" {
export GCP_PROJECT_ID=oidc-project
export GCP_PROJECT_NUMBER=123456789
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_AUDIENCE="//iam.googleapis.com/projects/\${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/buildkite-example-pipeline/providers/buildkite"
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT="buildkite-example-pipeline@\${GCP_PROJECT_ID}.iam.gserviceaccount.com"
export BUILDKITE_PLUGIN_GCP_WORKLOAD_IDENTITY_FEDERATION_RENDER_COMMAND="envsubst"
stub mktemp "-d : echo $BATS_TEST_TMPDIR"
stub buildkite-agent "oidc request-token --audience //iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/buildkite-example-pipeline/providers/buildkite --lifetime 0 : echo dummy-jwt"
run "$PWD/hooks/pre-command"
assert_success
assert_output --partial "Requesting OIDC token from Buildkite"
assert_output --partial "Configuring Google Cloud credentials"
diff $BATS_TEST_TMPDIR/token.json <(echo dummy-jwt)
diff $BATS_TEST_TMPDIR/credentials.json <(cat << JSON
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/buildkite-example-pipeline/providers/buildkite",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/buildkite-example-pipeline@oidc-project.iam.gserviceaccount.com:generateAccessToken",
"credential_source": {
"file": "$BATS_TEST_TMPDIR/token.json"
}
}
JSON)
unstub mktemp
unstub buildkite-agent
}
4 changes: 4 additions & 0 deletions tests/setup_suite.bash
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
setup_suite() {
echo '# Installing envsubst' >&2
apk --no-cache add gettext | sed -e 's/^/# /' >&2
}

0 comments on commit d9d647e

Please sign in to comment.