feat: handle tokens via Bitwarden Vault (#658)

feat: handle tokens via Bitwarden Vault

Fixes packit/private#41

TODO:

 Update or write new documentation in packit/packit.dev.
 Update the format of logins for the production in Bitwarden



Fixes packit/private#41

Reviewed-by: Laura Barcziová

Author: softwarefactory-project-zuul[bot]

secrets/packit/prod/centpkg-sig.conf.j2

@@ -29,4 +29,6 @@ git_excludes =
 
 [centpkg-sig.distgit]
 apibaseurl = https://gitlab.com
-token = {{ vault.packit_service.authentication['gitlab.com'].token }}
+{% set gitlab_forge = git_forges | selectattr('name', 'equalto', 'gitlab.com') | first %}
+{% set gitlab_fields = gitlab_forge['fields'] | items2dict(key_name='name') %}
+token = {{ gitlab_fields['token:key'] }}

secrets/packit/prod/packit-service.yaml.j2

@@ -5,6 +5,29 @@ fas_user: packit
 keytab_path: /secrets/fedora.keytab
 validate_webhooks: true
 
+# {{ ansible_managed }}
+# Please adjust the values in the respective logins in the Bitwarden Vault
+authentication:
+{% for forge in git_forges %}
+{% set fields = forge['fields'] | items2dict(key_name='name') %}
+  {{ forge['name'] }}:
+    instance_url: {{ forge['login']['uris'][0].uri }}
+    # Login: {{ forge['login']['username'] }}
+    # Token name: {{ fields.get('token:name') }}
+    # Scope: {{ fields.get('token:permissions') }}
+    # Expiration: {{ fields.get('token:expiration') }}
+    token: {{ fields.get('token:key') }}
+{% if 'type' in fields and 'github_app' in fields['type'] %}
+    # GitHub App set up
+    github_app_id: '{{ fields.get('app_id') }}'
+    github_app_private_key_path: {{ fields.get('app_private_key_path') }}
+{% endif %}
+{% if 'token:type' in fields %}
+    type: {{ fields.get('token:type') }}
+{% endif %}
+
+{% endfor %}
+
 {{ vault.packit_service | to_nice_yaml }}
 
 testing_farm_api_url: https://api.testing-farm.io/v0.1/

secrets/packit/stg/centpkg-sig.conf.j2

@@ -29,4 +29,6 @@ git_excludes =
 
 [centpkg-sig.distgit]
 apibaseurl = https://gitlab.com
-token = {{ vault.packit_service.authentication['gitlab.com'].token }}
+{% set gitlab_forge = git_forges | selectattr('name', 'equalto', 'gitlab.com') | first %}
+{% set gitlab_fields = gitlab_forge['fields'] | items2dict(key_name='name') %}
+token = {{ gitlab_fields['token:key'] }}

secrets/packit/stg/packit-service.yaml.j2

@@ -6,6 +6,29 @@ keytab_path: /secrets/fedora.keytab
 comment_command_prefix: "/packit-stg"
 validate_webhooks: true
 
+# {{ ansible_managed }}
+# Please adjust the values in the respective logins in the Bitwarden Vault
+authentication:
+{% for forge in git_forges %}
+{% set fields = forge['fields'] | items2dict(key_name='name') %}
+  {{ forge['name'] }}:
+    instance_url: {{ forge['login']['uris'][0].uri }}
+    # Login: {{ forge['login']['username'] }}
+    # Token name: {{ fields.get('token:name') }}
+    # Scope: {{ fields.get('token:permissions') }}
+    # Expiration: {{ fields.get('token:expiration') }}
+    token: {{ fields.get('token:key') }}
+{% if 'type' in fields and 'github_app' in fields['type'] %}
+    # GitHub App set up
+    github_app_id: '{{ fields.get('app_id') }}'
+    github_app_private_key_path: {{ fields.get('app_private_key_path') }}
+{% endif %}
+{% if 'token:type' in fields %}
+    type: {{ fields.get('token:type') }}
+{% endif %}
+
+{% endfor %}
+
 {{ vault.packit_service | to_nice_yaml }}
 
 # temporarily unavailable, use production in the meanwhile

tasks/set-facts.yml

@@ -47,3 +47,13 @@
     - always
   ansible.builtin.set_fact:
     redis_hostname: "{{ kv_database }}"
+
+- name: Set Bitwarden URI
+  ansible.builtin.set_fact:
+    bw_uri: "ansible://{{ service }}/{{ deployment }}"
+
+- name: Fetch git forges
+  tags:
+    - always
+  ansible.builtin.set_fact:
+    git_forges: "{{ lookup('community.general.bitwarden', bw_uri + '/git', search='') }}"