Add token endpoint

This change adds a github registration endpoint that instances can use to fetch a github registration token. This change also invalidates disables access to an instance to the token and status updates endpoints once the instance transitions from "pending" or "installing" to any other state.
2022-12-01 18:00:22 +02:00 · 2022-12-01 18:00:22 +02:00 · a078645ab2
commit a078645ab2
parent eba42b0481
18 changed files with 252 additions and 77 deletions
--- a/contrib/providers.d/openstack/cloudconfig/install_runner.tpl
+++ b/contrib/providers.d/openstack/cloudconfig/install_runner.tpl
@ -6,11 +6,18 @@ set -o pipefail
 CALLBACK_URL="GARM_CALLBACK_URL"
 BEARER_TOKEN="GARM_CALLBACK_TOKEN"
 DOWNLOAD_URL="GH_DOWNLOAD_URL"
+DOWNLOAD_TOKEN="GH_TEMP_DOWNLOAD_TOKEN"
 FILENAME="GH_FILENAME"
 TARGET_URL="GH_TARGET_URL"
 RUNNER_TOKEN="GH_RUNNER_TOKEN"
 RUNNER_NAME="GH_RUNNER_NAME"
 RUNNER_LABELS="GH_RUNNER_LABELS"
+TEMP_TOKEN=""
+
+if [ ! -z "$DOWNLOAD_TOKEN" ]; then
+	TEMP_TOKEN="Authorization: Bearer $DOWNLOAD_TOKEN"
+fi
+

 function call() {
 	PAYLOAD="$1"
@ -37,7 +44,7 @@ function fail() {


 sendStatus "downloading tools from ${DOWNLOAD_URL}"
-curl -L -o "/home/runner/${FILENAME}" "${DOWNLOAD_URL}" || fail "failed to download tools"
+curl -L -H "${TEMP_TOKEN}" -o "/home/runner/${FILENAME}" "${DOWNLOAD_URL}" || fail "failed to download tools"

 mkdir -p /home/runner/actions-runner || fail "failed to create actions-runner folder"

--- a/contrib/providers.d/openstack/garm-external-provider
+++ b/contrib/providers.d/openstack/garm-external-provider
@ -145,6 +145,20 @@ function downloadURL() {
    echo "${URL}"
 }

+function tempDownloadToken() {
+    # temp_download_token
+    [ -z "$1" -o -z "$2" ] && return 1
+    GH_ARCH="${GARM_TO_GH_ARCH_MAP[$2]}"
+    TOKEN=$(echo "$INPUT" | jq -c -r --arg OS "$1" --arg ARCH "$GH_ARCH" '(.tools[] | select( .os == $OS and .architecture == $ARCH)).temp_download_token')
+    echo "${TOKEN}"
+}
+
+function runnerTokenURL() {
+    TOKEN_URL=$(echo "$INPUT" | jq -c -r '."token-url"')
+    checkValNotNull "${TOKEN_URL}" "token-url" || return $?
+    echo "${TOKEN_URL}"
+}
+
 function downloadFilename() {
    [ -z "$1" -o -z "$2" ] && return 1
    GH_ARCH="${GARM_TO_GH_ARCH_MAP[$2]}"
@ -177,8 +191,19 @@ function repoURL() {
    echo "${REPO}"
 }

+function getRegistrationTokenFromAPI() {
+    TOKEN_URL=$(runnerTokenURL)
+    BEARER_TOKEN=$(callbackToken)
+    TOKEN=$(curl -s -X GET -H 'Accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" "${TOKEN_URL}")
+    checkValNotNull "${TOKEN}" "repo_url" || return $?
+    echo "${TOKEN}"
+}
+
 function ghAccessToken() {
    TOKEN=$(echo "$INPUT" | jq -c -r '.github_runner_access_token')
+    if [ -z "$TOKEN" ];then
+        TOKEN=$(getRegistrationTokenFromAPI)
+    fi
    checkValNotNull "${TOKEN}" "github_runner_access_token" || return $?
    echo "${TOKEN}"
 }
@ -215,6 +240,7 @@ function getCloudConfig() {

    ARCH=$(requestedArch)
    DW_URL=$(downloadURL "${OS_TYPE}" "${ARCH}")
+    DW_TOKEN=$(tempDownloadToken "${OS_TYPE}" "${ARCH}")
    DW_FILENAME=$(downloadFilename "${OS_TYPE}" "${ARCH}")
    LABELS=$(labels)

@ -230,6 +256,7 @@ function getCloudConfig() {
    -e "s|GH_TARGET_URL|$(repoURL)|g" \
    -e "s|GH_RUNNER_TOKEN|$(ghAccessToken)|g" \
    -e "s|GH_RUNNER_NAME|$(instanceName)|g" \
+    -e "s|GH_TEMP_DOWNLOAD_TOKEN|${DW_TOKEN}|g" \
    -e "s|GH_RUNNER_LABELS|${LABELS}|g" > ${TMP_SCRIPT}

    AS_B64=$(base64 -w0 ${TMP_SCRIPT})
@ -306,7 +333,7 @@ function CreateInstance() {
    if [ $? -ne 0 ];then
        CODE=$?
        # cleanup
-        rm -f "${CC_FILE}" || true 
+        rm -f "${CC_FILE}" || true
        openstack server delete "${INSTANCE_NAME}" || true
        openstack volume delete "${INSTANCE_NAME}" || true
        set -e