From 32c919d1fc905094d49aef68d2aae48d71fe9724 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Tue, 16 Jul 2024 14:58:58 +0200 Subject: [PATCH] Use authentication tokens for PM GitLab runner Starting with GitLab 16, there is a new mechanism to authenticate the runners via authentication tokens, so use it instead. Older tokens and runners are also removed, as they are no longer used. With the new way of managing tokens, both the tags and the locked state are managed from the GitLab web page. See: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html --- m/hut/gitlab-runner.nix | 24 +++++------------------- secrets/gitlab-bsc-es-token.age | 11 ----------- secrets/gitlab-runner-docker-token.age | 9 +++++++++ secrets/gitlab-runner-shell-token.age | Bin 0 -> 514 bytes secrets/nosv-token.age | 11 ----------- secrets/ovni-token.age | Bin 553 -> 0 bytes secrets/secrets.nix | 5 ++--- 7 files changed, 16 insertions(+), 44 deletions(-) delete mode 100644 secrets/gitlab-bsc-es-token.age create mode 100644 secrets/gitlab-runner-docker-token.age create mode 100644 secrets/gitlab-runner-shell-token.age delete mode 100644 secrets/nosv-token.age delete mode 100644 secrets/ovni-token.age diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix index 3cbe4f6..226099b 100644 --- a/m/hut/gitlab-runner.nix +++ b/m/hut/gitlab-runner.nix @@ -1,9 +1,8 @@ { pkgs, lib, config, ... }: { - age.secrets.ovniToken.file = ../../secrets/ovni-token.age; - age.secrets.gitlabToken.file = ../../secrets/gitlab-bsc-es-token.age; - age.secrets.nosvToken.file = ../../secrets/nosv-token.age; + age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age; + age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age; services.gitlab-runner = { enable = true; @@ -11,20 +10,14 @@ services = let common-shell = { executor = "shell"; - tagList = [ "nix" "xeon" ]; - registrationFlags = [ - # Using space doesn't work, and causes it to misread the next flag - "--locked='false'" - ]; environmentVariables = { SHELL = "${pkgs.bash}/bin/bash"; }; }; common-docker = { + executor = "docker"; dockerImage = "debian:stable"; - tagList = [ "docker" "xeon" ]; registrationFlags = [ - "--locked='false'" "--docker-network-mode host" ]; environmentVariables = { @@ -33,19 +26,12 @@ }; }; in { - # For gitlab.bsc.es - gitlab-bsc-es-shell = common-shell // { - registrationConfigFile = config.age.secrets.gitlabToken.path; - }; - gitlab-bsc-es-docker = common-docker // { - registrationConfigFile = config.age.secrets.gitlabToken.path; - }; # For pm.bsc.es/gitlab gitlab-pm-shell = common-shell // { - registrationConfigFile = config.age.secrets.ovniToken.path; + authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path; }; gitlab-pm-docker = common-docker // { - registrationConfigFile = config.age.secrets.ovniToken.path; + authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path; }; }; }; diff --git a/secrets/gitlab-bsc-es-token.age b/secrets/gitlab-bsc-es-token.age deleted file mode 100644 index ffe7aaf..0000000 --- a/secrets/gitlab-bsc-es-token.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HY2yRg caTbx0NBmsTSmZH4HtBaxhsauWqWUDTesJqT08UsoEQ -8ND31xuco+H8d5SKg8xsCFRPVDhU4d8UKwV1BnmKVjQ --> ssh-ed25519 CAWG4Q 4ETYuhCwHHECkut4DWDknMMgpAvFqtzLWVC2Wi2L8FM -BGMvRnAfd8qZG5hzLefmk32FkGvwzE9pqBUyx4JY0co --> ssh-ed25519 MSF3dg hj5QL4ZfylN8/W/MXQHvVqtI7mRvlQOYr8HsaQEmPB0 -kvB7sljmmkswSGZDQnrwdTbTsN78EAwH3pz1pPe0Hu0 --> )Q-grease vHF} [8p1> @7z;C"/ -tgSUKFyyrf2jLXZp+pakigwB2fRO/WFj2Qnt1aPjtVPEK92JbJ4 ---- xzM0AhV4gTQE0Q7inJNo9vFj+crJQxWeI7u9pl7bqAI -6nGJ0B7Fbٽ2L]2zl&eKx9SWNV"MfKHUC:1b;9StDuѧϢ̟f71I(d \ No newline at end of file diff --git a/secrets/gitlab-runner-docker-token.age b/secrets/gitlab-runner-docker-token.age new file mode 100644 index 0000000..b11b2d2 --- /dev/null +++ b/secrets/gitlab-runner-docker-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 HY2yRg WvKK6U1wQtx2pbUDfuaUIXTQiCulDkz7hgUCSwMfMzQ +jLktUMqKuVxukqzz++pHOKvmucUQqeKYy5IwBma7KxY +-> ssh-ed25519 CAWG4Q XKGuNNoYFl9bdZzsqYYTY7GsEt5sypLW4R+1uk78NmU +8dIA2GzRAwTGM5CDHSM2BUBsbXzEAUssWUz2PY2PaTg +-> ssh-ed25519 MSF3dg T630RsKuZIF/bp+KITnIIWWHsg6M/VQGqbWQZxqT+AA +SraZcgZJVtmUzHF/XR9J7aK5t5EDNpkC/av/WJUT/G8 +--- /12G8pj9sbs591OM/ryhoLnSWWmzYcoqprk9uN/3g18 +‡%]yi"L H`a$)9ve.0mKv u"|1c-%"WFAh$j{M-DJ%>R zF)b;}sc;GlOwWr7%1llxGBArW%Q6HC>lbGD1mt`Bh8U&$a+&*w=2~PWCT930XLzT% z<#`x|hPmY>WmdSPS!O4OWqap(N0s{JWxEAMqTA-|818NosNmu2<5!g#Qf^{im>rU; zA6Vp;>k%28o#zx#YN^)9A1%{Rp49f=o^?@ z?&?vf9~9tk8g6Eu=NFh$<&*iVK7H&NL&aqnY6aWvbxH ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE -avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro --> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA -FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70 --> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o -BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8 --> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t -oLG+0S1aGfO/ohCfgGmhDhwwLi4H ---- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI -Wo d;C._(u G#vgɝyYl9ϵ.0x޽N./tBbK:Q\T_txm_Jޞ- \ No newline at end of file diff --git a/secrets/ovni-token.age b/secrets/ovni-token.age deleted file mode 100644 index 4378c388dd465e6d39681bbca5354136454855f8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 553 zcmZ9HO>5Ht06;}VFiaHjvWo=4Q%IAv`B;Sw+9XZVHf_^%$r42DN18TClcq`2q$-Fg zUWCC;A}V+gL7XSSgCg_eA}A=EF!kW@Ac#2k2L=w0`vH&lUeh#S!)=d}Vc7TFls7Vw z2m{~+FbI0E(Mb~omIZk&ozzWG*F9CSg6_bM1W4%GOU@Es#E^7FX<@cepxS+|f%H1E zH$Z{VfHY#v>Mb7E*k(JT(E{i9GpK^N95V${Wei9WI84Y<>H#f&JlB%qnTJmsrO{AIh;~Oi-Pc}6?t*XnsC`9ujYVG zl+@8FLW-hW_ZXq3MxxJ9iIY^y6rrhFAi48Sl9s)T?dS~{l)tlQ(sQ73LqT$^-B7YU*maoltTlga_p@3ny=E1UU^m1B76 zJAHfh=by_TpKLs~-ah?s_dtM(()zR2m#ORbFV1fL4z#Olb@|QCb}-jyF` zPpp0+FU-6*U+|BX?|h>lY@h!$f9PcV{MGSy$kFBXouMLc-+Xv(_sslE_V8MBcj5Kc NU+43!ujyYm)PDq_#q9t9 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9844734..747b4aa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,10 +6,9 @@ let safe = keys.hostGroup.safe ++ adminsKeys; in { - "gitlab-bsc-es-token.age".publicKeys = hut; "gitea-runner-token.age".publicKeys = hut; - "ovni-token.age".publicKeys = hut; - "nosv-token.age".publicKeys = hut; + "gitlab-runner-docker-token.age".publicKeys = hut; + "gitlab-runner-shell-token.age".publicKeys = hut; "nix-serve.age".publicKeys = hut; "jungle-robot-password.age".publicKeys = hut;