Enable access via ssh-oidc and cloud.egi.eu

.github/workflows/deploy.yaml

@@ -1,126 +1,130 @@
 ---
-name: 'Deploy'
+name: "Deploy"
 
 on:
   push:
     branches:
       - main
   pull_request:
     paths:
-      - 'deployment/**'
+      - "deployment/**"
 
-permissions: 
+permissions:
   pull-requests: write
 
 jobs:
   terraform:
-    name: 'Terraform'
+    name: "Terraform"
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Setup python
-      uses: actions/setup-python@v5
-      with:
-        python-version: 3.x
-    - name: Install environment
-      run: |
-        curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
-        chmod +x jq
-        pip install yq ansible git+https://github.com/tdviet/fedcloudclient.git
-        curl -L https://github.com/oidc-mytoken/client/releases/download/v0.5.2/mytoken_0.5.2_linux_64-bit.tar.gz \
-          | tar -xzf -
-        mkdir ~/.mytoken
-        curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml \
-          | sed 's/default_provider:/default_provider: "egi"/g' \
-          > ~/.mytoken/config.yaml
-    - name: Configure providers access
-      env:
-        MYTOKEN: ${{ secrets.MYTOKEN }}
-      run: |
-        PATH="$PWD:$PATH"
-        cd deployment
-        ./site-config.sh
-    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v3
-      with:
-        terraform_version: 1.2.9
-    - name: Terraform Format
-      id: fmt
-      run: |
-        cd deployment
-        terraform fmt -check
-    - name: Terraform init
-      id: init
-      run: |
-        cd deployment
-        terraform init
-    - name: terraform plan
-      id: plan
-      if: github.event_name == 'pull_request'
-      run: |
-        cd deployment
-        terraform plan -no-color -var-file=deploy.tfvars
-      continue-on-error: true
-    - name: Update Pull Request
-      uses: actions/github-script@v7
-      if: github.event_name == 'pull_request'
-      env:
-        PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
-      with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-        script: |
-          const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
-          #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
-          #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
-          <details><summary>Show Plan</summary>
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Install environment
+        run: |
+          curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
+          chmod +x jq
+          pip install yq ansible git+https://github.com/tdviet/fedcloudclient.git
+          curl -L https://github.com/oidc-mytoken/client/releases/download/v0.5.2/mytoken_0.5.2_linux_64-bit.tar.gz \
+            | tar -xzf -
+          mkdir ~/.mytoken
+          curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml \
+            | sed 's/default_provider:/default_provider: "egi"/g' \
+            > ~/.mytoken/config.yaml
+          # add PWD to the PATH
+          echo "$PWD" >> "$GITHUB_PATH"
+      - name: Configure providers access
+        env:
+          MYTOKEN: ${{ secrets.MYTOKEN }}
+        run: |
+          cd deployment
+          ./site-config.sh
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.2.9
+      - name: Terraform Format
+        id: fmt
+        run: |
+          cd deployment
+          terraform fmt -check
+      - name: Terraform init
+        id: init
+        run: |
+          cd deployment
+          terraform init
+      - name: terraform plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: |
+          cd deployment
+          terraform plan -no-color -var-file=deploy.tfvars
+        continue-on-error: true
+      - name: Update Pull Request
+        uses: actions/github-script@v7
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            <details><summary>Show Plan</summary>
 
-          \`\`\`
-          ${process.env.PLAN}
-          \`\`\`
+            \`\`\`
+            ${process.env.PLAN}
+            \`\`\`
 
-          </details>
+            </details>
 
-          *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
-          github.rest.issues.createComment({
-            issue_number: context.issue.number,
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            body: output
-          })
-    - name: Terraform Plan Status
-      if: steps.plan.outcome == 'failure'
-      run: exit 1
-    - name: Terraform Apply
-      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-      run: |
-        cd deployment
-        terraform apply -auto-approve -var-file=deploy.tfvars
-    - name: Get IP
-      id: public_ip
-      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-      run: |
-        cd deployment
-        terraform output -raw public_ip
-    - name: Update IP in DNS
-      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-      env:
-        NSUPDATE_SECRET: ${{ secrets.NSUPDATE_SECRET }}
-      run: |
-        curl -u "horizon.vm.fedcloud.eu:$NSUPDATE_SECRET" \
-             "https://nsupdate.fedcloud.eu/nic/update?myip=${{ steps.public_ip.outputs.stdout }}"
-    - name: Configure with ansible
-      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-      uses: dawidd6/action-ansible-playbook@v2
-      with:
-        playbook: playbook.yaml
-        directory: ./deployment
-        key: ${{ secrets.SSH_KEY }}
-        inventory: |
-          [all]
-          ${{ steps.public_ip.outputs.stdout }}
-        requirements: galaxy-requirements.yaml
-        options: |
-          --extra-vars git_ref=${{ github.sha }}
-          --ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-          -u egi
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: |
+          cd deployment
+          terraform apply -auto-approve -var-file=deploy.tfvars
+      - name: Get IP
+        id: public_ip
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: |
+          cd deployment
+          terraform output -raw public_ip
+      - name: Update IP in DNS
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        env:
+          NSUPDATE_SECRET: ${{ secrets.NSUPDATE_SECRET }}
+        run: |
+          curl -u "horizon.vm.fedcloud.eu:$NSUPDATE_SECRET" \
+               "https://nsupdate.fedcloud.eu/nic/update?myip=${{ steps.public_ip.outputs.stdout }}"
+      - name: Configure with ansible
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        uses: dawidd6/action-ansible-playbook@v2
+        env:
+          MYTOKEN: ${{ secrets.MYTOKEN }}
+        with:
+          playbook: playbook.yaml
+          directory: ./deployment
+          key: ${{ secrets.SSH_KEY }}
+          inventory: |
+            [all]
+            ${{ steps.public_ip.outputs.stdout }}
+          requirements: galaxy-requirements.yaml
+          options: |
+            --extra-vars ACCESS_TOKEN=$(mytoken AT --MT-env MYTOKEN)
+            --extra-vars git_ref=${{ github.sha }}
+            --ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
+            -u egi

CONTRIBUTING.md

@@ -10,19 +10,16 @@ contribute are also welcome.
 
 ## Feedback and Questions
 
-If you wish to discuss anything related to the project, please open an issue or
-start a topic on the [EGI Community Forum](https://community.egi.eu). The
-maintainers will sometimes move issues off of GitHub to the community forum if
-it is thought that longer, more open-ended discussion would be beneficial,
-including a wider community scope.
+If you wish to discuss anything related to the project, please open a
+[GitHub issue](https://github.com/EGI-Federation/fedcloud-dashboard/issues/new).
 
 ## Contribution Process
 
-Before proposing a contribution via pull request, ideally there is an open issue
-describing the need for your contribution (refer to this issue number when you
-submit the pull request). We have a 3 steps process for contributions.
+Before proposing a contribution via pull request (PR), ideally there is an open
+issue describing the need for your contribution (refer to this issue number when
+you submit the pull request). We have a 3 steps process for contributions.
 
-1. Fork the project if you have not, and commit changes to a git branch
+1. Fork the project if you have not, and commit changes to a Git branch
 1. Create a GitHub Pull Request for your change, following the instructions in
    the pull request template.
 1. Perform a [Code Review](#code-review-process) with the maintainers on the
@@ -38,19 +35,19 @@ submit the pull request). We have a 3 steps process for contributions.
 ### Code Review Process
 
 Code review takes place in GitHub pull requests. See
-[this article](https://help.github.com/articles/about-pull-requests/) if you're
-not familiar with GitHub Pull Requests.
+[this article](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests)
+if you're not familiar with GitHub Pull Requests.
 
 Once you open a pull request, maintainers will review your code using the
-built-in code review process in Github PRs. The process at this point is as
+built-in code review process in GitHub PRs. The process at this point is as
 follows:
 
 1. A maintainer will review your code and merge it if no changes are necessary.
    Your change will be merged into the repository's `main` branch.
 1. If a maintainer has feedback or questions on your changes then they will set
    `request changes` in the review and provide an explanation.
 
-## Using git
+## Using Git
 
 For collaboration purposes, it is best if you create a GitHub account and fork
 the repository to your own account. Once you do this you will be able to push
@@ -59,7 +56,7 @@ easier to send pull requests.
 
 ### Branches and Commits
 
-You should submit your patch as a git branch named after the Github issue, such
+You should submit your patch as a Git branch named after the GitHub issue, such
 as `#3`\. This is called a _topic branch_ and allows users to associate a branch
 of code with the issue.
 
@@ -90,7 +87,6 @@ EGI benefits from a strong community of developers and system administrators,
 and vice-versa. If you have any questions or if you would like to get involved
 in the wider EGI community you can check out:
 
-- [EGI Community Forum](https://community.egi.eu/)
-- [EGI website](https://www.egi.eu)
+- [EGI site](https://www.egi.eu)
 
 **This file has been modified from the Chef Cookbook Contributing Guide**.

deployment/cloud-init.yaml

@@ -2,19 +2,32 @@
 ---
 # avoid auto-upgrade kicking off in the first boot
 bootcmd:
-- [cloud-init-per, once, touch, /var/lib/apt/periodic/update-success-stamp]
+  - [cloud-init-per, once, touch, /var/lib/apt/periodic/update-success-stamp]
 
 users:
-- name: egi
-  gecos: EGI
-  primary_group: egi
-  groups: users
-  shell: /bin/bash
-  sudo: ALL=(ALL) NOPASSWD:ALL
-  ssh_import_id:
-  - gh:enolfc
-  - gh:gwarf
-  - gh:CatalinCondurache
-  - gh:sebastian-luna-valero
-  ssh_authorized_keys:
-  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3rdgKJj5WWIE5sD+Mup8HxgMQGY7cYwjwGGa4TJAkZMrhDon5MTgFko51xNZuU7pRhOdTQwJqu8Bkb+y2nAtFS3vHij4x4GgHU9TuLwhgiWjB3qhAj959vXg2FItHO8JsjM3a5R/VxX/hSXlEy+7iyHpH1zCi/LwhcFLEd7yTv0bV99yNMoLPQYhGjYQ5DqrWBKyu8ddFxfRzxaiHgFTvBPwa52Gwft7S7N90tV7fHCI8p+9nD57q6aWwTRtxbClJyf2vohSlIB0WqqPKTBy+he7QkV8VRq9zJyUMaelTTUy+nBolF4oyAHJViY9GAvfdEsHKW0FaV0SS4ICKjilQOAyK3uG+Hl26CCLvtWUmbx/XGAwfoCIipMqXwbjLwA2J+dXCaKS4uBz0f4eXKsXXoFmh4awEIOxpdVXUFYV231JxcgMGGhSQvaqla5QWZ93RNNS0v7SEhHKAkG6B8mOS8yyAu1mBCS0Y03p6xT/7lI5QI4cTIVD3HZU6dB2s/Fc= [email protected]
+  - name: egi
+    gecos: EGI
+    primary_group: egi
+    groups: users
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    ssh_import_id:
+      - gh:enolfc
+      - gh:gwarf
+      - gh:CatalinCondurache
+      - gh:sebastian-luna-valero
+    ssh_authorized_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3rdgKJj5WWIE5sD+Mup8HxgMQGY7cYwjwGGa4TJAkZMrhDon5MTgFko51xNZuU7pRhOdTQwJqu8Bkb+y2nAtFS3vHij4x4GgHU9TuLwhgiWjB3qhAj959vXg2FItHO8JsjM3a5R/VxX/hSXlEy+7iyHpH1zCi/LwhcFLEd7yTv0bV99yNMoLPQYhGjYQ5DqrWBKyu8ddFxfRzxaiHgFTvBPwa52Gwft7S7N90tV7fHCI8p+9nD57q6aWwTRtxbClJyf2vohSlIB0WqqPKTBy+he7QkV8VRq9zJyUMaelTTUy+nBolF4oyAHJViY9GAvfdEsHKW0FaV0SS4ICKjilQOAyK3uG+Hl26CCLvtWUmbx/XGAwfoCIipMqXwbjLwA2J+dXCaKS4uBz0f4eXKsXXoFmh4awEIOxpdVXUFYV231JxcgMGGhSQvaqla5QWZ93RNNS0v7SEhHKAkG6B8mOS8yyAu1mBCS0Y03p6xT/7lI5QI4cTIVD3HZU6dB2s/Fc= [email protected]
+
+write_files:
+  - content: |
+      # Created by cloud-init according to:
+      #    https://github.com/EGI-Federation/fedcloud-dashboard/blob/main/deployment/cloud-init.yaml
+      #
+      # 1. Access is restricted to members of the vo.cloud.egi.eu VO with the auditor role
+      #    urn:mace:egi.eu:group:cloud.egi.eu:role=auditor#aai.egi.eu
+      #
+      # 2. Once logged in, they have unrestricted sudo power:
+      %egi-eu_cloud-egi-eu ALL=(ALL) NOPASSWD:ALL
+    path: /etc/sudoers.d/motley
+    permissions: "0644"

deployment/galaxy-requirements.yaml

@@ -1,2 +1,4 @@
 # docker installation
 - src: grycap.docker
+# ssh-oidc access
+- src: grycap.motley_cue