provide PACKAGES_TOKEN secret

2024-08-20 11:25:19 +02:00
parent 80fa4ca92f
commit 95f365dbb5
6 changed files with 116 additions and 13 deletions
--- a/ansible/arcodange/factory/playbooks/03_cicd.yml
+++ b/ansible/arcodange/factory/playbooks/03_cicd.yml
@@ -3,6 +3,9 @@
 - name: Deploy Gitea Action
  hosts: raspberries:&local:!gitea # do not deploy on machine with gitea instance

+  roles:
+    - arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required
+
  tasks:

    - name: Fetch Gitea Token for Action Runner registration
@@ -39,9 +42,9 @@
                # You don't have to copy this file to your instance,
                # just run `./act_runner generate-config > config.yaml` to generate a config file.

-                log:
-                  # The level of logging, can be trace, debug, info, warn, error, fatal
-                  level: info
+                #log:
+                #  # The level of logging, can be trace, debug, info, warn, error, fatal
+                #  level: info

                runner:
                  # Where to store the registration result.
@@ -132,13 +135,35 @@
                  # The parent directory of a job's working directory.
                  # If it's empty, $HOME/.cache/act/ will be used.
                  workdir_parent:
-    - name: Deploy Gitea with Docker Compose
+    - name: Deploy Gitea Action with Docker Compose
      community.docker.docker_compose_v2:
        project_src: "/home/pi/arcodange/docker_composes/arcodange_factory_gitea_action"
        pull: missing
        state: present
      register: deploy_result
    
+    - name: Set PACKAGES_TOKEN secret to upload packages from CI
+      run_once: True
+      block:
+        - name: Generate cicd PACKAGES_TOKEN
+          include_role:
+            name: arcodange.factory.gitea_token
+          vars:
+            gitea_token_name: PACKAGES_TOKEN
+            gitea_token_fact_name: cicd_PACKAGES_TOKEN
+            gitea_token_scopes: write:package
+            gitea_token_replace: true
+
+        - name: Register cicd PACKAGES_TOKEN secrets
+          include_role:
+            name: arcodange.factory.gitea_secret
+          vars:
+            gitea_secret_name: PACKAGES_TOKEN
+            gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}"
+          loop: ["organization", "user"]
+          loop_control:
+            loop_var: gitea_owner_type # Peut être "user" ou "organization"
+    
    - name: Deploy Argo CD
      run_once: true
      block:
@@ -150,3 +175,9 @@
        - name: Sync other repos
          include_role:
            name: arcodange.factory.gitea_sync
+  
+  post_tasks:
+    - include_role:
+        name: arcodange.factory.gitea_token
+      vars:
+        gitea_token_delete: true
--- a/ansible/arcodange/factory/playbooks/setup/gitea.yml
+++ b/ansible/arcodange/factory/playbooks/setup/gitea.yml
@@ -169,7 +169,7 @@
                  username: "{{ gitea_org_name }}"
                  full_name: "{{ gitea_org_full_name }}"
                  description: "{{ gitea_org_description }}"
-                  visibility: private
+                  visibility: public
                  website: "{{ gitea_org_website }}"
                  location: "{{ gitea_org_location }}"
                status_code: 201
--- a/ansible/arcodange/factory/roles/gitea_secret/defaults/main.yml
+++ b/ansible/arcodange/factory/roles/gitea_secret/defaults/main.yml
@@ -0,0 +1,11 @@
+gitea_username: arcodange
+gitea_organization: arcodange-org
+
+# URL de base du serveur Gitea
+gitea_base_url: http://{{ groups.gitea[0] }}:3000
+
+gitea_secret_name: "my_secret"      # The name of the secret to put
+gitea_secret_value: "super_secret_value"  # The value of the secret
+gitea_owner_type: "user"            # Can be "user" or "organization"
+gitea_owner_name: >-  # Username or organization name
+  {{ (gitea_owner_type == 'user') | ternary(gitea_username, gitea_organization) }}
--- a/ansible/arcodange/factory/roles/gitea_secret/tasks/main.yml
+++ b/ansible/arcodange/factory/roles/gitea_secret/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: Generate Gitea Token
+  include_role:
+    name: arcodange.factory.gitea_token
+
+- name: Préparer l'URL de l'API pour mettre à jour ou ajouter un secret
+  set_fact:
+    gitea_api_url: |
+      {{
+        gitea_base_url ~ "/api/v1/"
+        ~ ((gitea_owner_type == 'user') | ternary('user', 'orgs/' ~ gitea_owner_name))  
+        ~ "/actions/secrets/" ~ gitea_secret_name
+      }}
+
+- name: Ajouter ou mettre à jour le secret
+  uri:
+    url: "{{ gitea_api_url }}"
+    method: PUT
+    headers:
+      Authorization: "token {{ gitea_api_token }}"
+      Content-Type: "application/json"
+    body_format: json
+    body: |
+      {
+        "name": "{{ gitea_secret_name }}",
+        "data": "{{ gitea_secret_value }}"
+      }
+    status_code:
+      - 201
+      - 204
+  register: gitea_secret_update
+
+- name: Afficher la réponse après l'ajout ou la mise à jour du secret
+  debug:
+    msg: >-
+      Secret {{ gitea_secret_name }}
+      {{ (gitea_secret_update.status == 204) | ternary('mis à jour','créé') }}
+      pour {{ gitea_owner_type }} {{ gitea_owner_name }}.
--- a/ansible/arcodange/factory/roles/gitea_token/defaults/main.yml
+++ b/ansible/arcodange/factory/roles/gitea_token/defaults/main.yml
@@ -1,4 +1,8 @@
 gitea_user_name: arcodange
 gitea_container_name: gitea
 gitea_token_scopes: write:admin,write:organization,write:package,write:repository,write:user
-# gitea_base_url: 'http://{{ groups.gitea[0] }}:3000'
+gitea_token_fact_name: gitea_api_token
+gitea_base_url: 'http://{{ groups.gitea[0] }}:3000'
+gitea_token_replace: false
+gitea_token_name: ansible-{{ ansible_date_time.iso8601 }} # require gathering facts
+gitea_token_delete: false # only delete token
--- a/ansible/arcodange/factory/roles/gitea_token/tasks/main.yml
+++ b/ansible/arcodange/factory/roles/gitea_token/tasks/main.yml
@@ -1,10 +1,12 @@
 # to see generated tokens
 # go to https://gitea.arcodange.duckdns.org/user/settings/applications

- when: gitea_api_token is undefined
+- when: lookup('ansible.builtin.varnames', '^' ~ gitea_token_fact_name ~ '$') | length == 0 or gitea_token_delete
  block:
    
-    - name: Create new token for ansible
+    - &createTokenTask
+      name: Create new token for ansible
+      when: not gitea_token_delete
      delegate_to: "{{ groups.gitea[0] }}"
      delegate_facts: true
      ansible.builtin.command: >-
@@ -13,11 +15,29 @@
        --username {{ gitea_user_name }}
        --token-name {{ gitea_token_name }}
        --raw
-        --scopes {{gitea_token_scopes}}
+        --scopes {{ gitea_token_scopes }}
      register: gitea_api_token_cmd
-      vars:
-        # ansible_date_time requires having gathered facts
-        gitea_token_name: ansible-{{ ansible_date_time.iso8601 }}
+      ignore_errors: '{{ gitea_token_replace }}'
+    
+    - name: replace token
+      when:
+        - gitea_token_delete or gitea_api_token_cmd.rc != 0
+        - gitea_token_delete or "'access token name has been used already' in gitea_api_token_cmd.stderr"
+        - gitea_token_delete or gitea_token_replace
+        - gitea_api_token is defined
+      block:
+        - name: "delete token{{ gitea_token_replace | ternary(' to replace','') }}"
+          uri:
+            url: "{{ gitea_base_url }}/api/v1/users/{{ gitea_user_name }}/tokens/{{ gitea_token_name }}"
+            method: DELETE
+            headers:
+              Authorization: "Basic {{ (gitea_user_name ~ ':' ~ gitea_api_token) | b64encode }}"
+              Accept: application/json'
+            status_code: 204
+        - <<: *createTokenTask
+          ignore_errors: false
+          register: gitea_api_token_cmd_bis

    - ansible.builtin.set_fact:
-        gitea_api_token: '{{ gitea_api_token_cmd.stdout }}'
+        '{{ gitea_token_fact_name }}': '{{ (gitea_api_token_cmd.rc == 0) | ternary(gitea_api_token_cmd.stdout, gitea_api_token_cmd_bis.stdout) }}'
+      when: not gitea_token_delete