[DEVOPS-1259]Update pipeline to CI only KV (#2854)

* Update pipeline to CI only KV
2024-11-25 12:45:18 +01:00 · 2023-04-17 14:06:57 +01:00 · 2023-04-17 14:06:57 +01:00 · 972a500745
commit 972a500745
parent 09c1b2e07e
6 changed files with 22 additions and 15 deletions
--- a/.github/workflows/build-self-host.yml
+++ b/.github/workflows/build-self-host.yml
@ -61,12 +61,16 @@ jobs:
      - name: Login to Azure ACR
        run: az acr login -n bitwardenprod

+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        with:
+          creds: ${{ secrets. AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

      - name: Retrieve secrets
@ -74,7 +78,7 @@ jobs:
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "docker-password,
            docker-username,
            dct-delegate-2-repo-passphrase,
@ -161,18 +165,18 @@ jobs:
              exit 1
          fi

-      - name: Login to Azure - Prod Subscription
+      - name: Login to Azure - CI subscription
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        if: failure()
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets. AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        if: failure()
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -280,11 +280,16 @@ jobs:
      - name: Login to PROD ACR
        run: az acr login -n bitwardenprod

+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        with:
+          creds: ${{ secrets. AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

      - name: Retrieve secrets
@ -292,7 +297,7 @@ jobs:
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "docker-password,
            docker-username,
            dct-delegate-2-repo-passphrase,
@ -570,7 +575,7 @@ jobs:
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        if: failure()
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
--- a/.github/workflows/container-registry-purge.yml
+++ b/.github/workflows/container-registry-purge.yml
@ -65,7 +65,6 @@ jobs:

          done

-
  check-failures:
    name: Check for failures
    if: always()
@ -96,7 +95,7 @@ jobs:
        uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f
        if: failure()
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -111,7 +111,7 @@ jobs:
      - name: Retrieve secrets
        id: retrieve-secrets
        env:
-          VAULT_NAME: "bitwarden-prod-kv"
+          VAULT_NAME: "bitwarden-ci"
        run: |
          webapp_name=$(
            az keyvault secret show --vault-name $VAULT_NAME \
@ -239,7 +239,7 @@ jobs:
        uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff
        with:
          azure-creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
-          azure-keyvault-name: "bitwarden-prod-kv"
+          azure-keyvault-name: "bitwarden-ci"

      - name: Pull latest project image
        if: matrix.origin_docker_repo == 'bitwarden'
--- a/.github/workflows/stop-staging-slots.yml
+++ b/.github/workflows/stop-staging-slots.yml
@ -5,7 +5,6 @@ on:
  workflow_dispatch:
    inputs: {}

-
 jobs:
  stop-slots:
    name: Stop Slots
@ -37,7 +36,7 @@ jobs:
      - name: Retrieve secrets
        id: retrieve-secrets
        env:
-          VAULT_NAME: "bitwarden-prod-kv"
+          VAULT_NAME: "bitwarden-ci"
        run: |
          webapp_name=$(
            az keyvault secret show --vault-name $VAULT_NAME \
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@ -25,7 +25,7 @@ jobs:
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"

      - name: Import GPG key