Stabilize forgejo namespace auth and secrets
This commit is contained in:
Conrad Kramer
parent
5c0a9b3f54
commit
5b09f3a742
8 changed files with 59 additions and 49 deletions
|
|
@ -146,25 +146,36 @@ dispatcher_secret="${REPO_ROOT}/secrets/forgejo/nsc-dispatcher-config.age"
|
|||
autoscaler_secret="${REPO_ROOT}/secrets/forgejo/nsc-autoscaler-config.age"
|
||||
|
||||
if [[ "${REFRESH_TOKEN}" -eq 1 ]]; then
|
||||
"${NSC_BIN}" auth check-login --duration 20m >/dev/null
|
||||
raw_token_file="$(mktemp)"
|
||||
trap 'rm -f "${raw_token_file}"; cleanup' EXIT
|
||||
"${NSC_BIN}" auth generate-dev-token --output_to "${raw_token_file}" >/dev/null
|
||||
RAW_NSC_TOKEN_FILE="${raw_token_file}" TOKEN_FILE="${token_file}" python3 - <<'PY'
|
||||
ssh \
|
||||
-i "${SSH_KEY}" \
|
||||
-o IdentitiesOnly=yes \
|
||||
-o UserKnownHostsFile="${KNOWN_HOSTS_FILE}" \
|
||||
-o StrictHostKeyChecking=accept-new \
|
||||
"${HOST}" \
|
||||
'sudo -u forgejo-nsc python3 - <<'"'"'PY'"'"'
|
||||
import json
|
||||
import os
|
||||
from pathlib import Path
|
||||
|
||||
raw = Path(os.environ["RAW_NSC_TOKEN_FILE"]).read_text(encoding="utf-8").strip()
|
||||
if not raw:
|
||||
raise SystemExit("generated Namespace token is empty")
|
||||
payload = {}
|
||||
|
||||
Path(os.environ["TOKEN_FILE"]).write_text(
|
||||
json.dumps({"bearer_token": raw}, indent=2) + "\n",
|
||||
encoding="utf-8",
|
||||
)
|
||||
PY
|
||||
rm -f "${raw_token_file}"
|
||||
token_json = Path("/var/lib/forgejo-nsc/.config/ns/token.json")
|
||||
if token_json.exists():
|
||||
data = json.loads(token_json.read_text(encoding="utf-8"))
|
||||
session = str(data.get("session_token", "")).strip()
|
||||
if session:
|
||||
payload["session_token"] = session
|
||||
|
||||
token_cache = Path("/var/lib/forgejo-nsc/.config/ns/token.cache")
|
||||
if token_cache.exists():
|
||||
bearer = token_cache.read_text(encoding="utf-8").strip()
|
||||
if bearer:
|
||||
payload["bearer_token"] = bearer
|
||||
|
||||
if not payload:
|
||||
raise SystemExit("forgejo-nsc host does not have a usable Namespace session")
|
||||
|
||||
print(json.dumps(payload, indent=2))
|
||||
PY' > "${token_file}"
|
||||
chmod 600 "${token_file}"
|
||||
elif [[ -f "${token_secret}" ]]; then
|
||||
burrow_decrypt_age_secret_to_temp "${REPO_ROOT}" "${token_secret}" > "${token_file}"
|
||||
|
|
@ -186,8 +197,13 @@ try:
|
|||
except json.JSONDecodeError:
|
||||
parsed = None
|
||||
|
||||
if isinstance(parsed, dict) and isinstance(parsed.get("bearer_token"), str) and parsed["bearer_token"].strip():
|
||||
raise SystemExit(0)
|
||||
if isinstance(parsed, dict):
|
||||
bearer = parsed.get("bearer_token")
|
||||
session = parsed.get("session_token")
|
||||
if isinstance(bearer, str) and bearer.strip():
|
||||
raise SystemExit(0)
|
||||
if isinstance(session, str) and session.strip():
|
||||
raise SystemExit(0)
|
||||
|
||||
path.write_text(json.dumps({"bearer_token": raw}, indent=2) + "\n", encoding="utf-8")
|
||||
PY
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue