[switchboard] Add copy_service_account_key Ansible role.
Bug: skia:12063
Change-Id: I0903dc6f8d50f19cd884c697ea9c7b728a4b6908
Reviewed-on: https://skia-review.googlesource.com/c/buildbot/+/434471
Reviewed-by: Ravi Mistry <rmistry@google.com>
diff --git a/skolo/ansible/switchboard/roles/copy_service_account_key/README.md b/skolo/ansible/switchboard/roles/copy_service_account_key/README.md
new file mode 100644
index 0000000..6be52e1
--- /dev/null
+++ b/skolo/ansible/switchboard/roles/copy_service_account_key/README.md
@@ -0,0 +1,51 @@
+# Role Name
+
+`copy_service_account_key`
+
+## Description
+
+Copy the service account key to the chrome-bot home directory.
+
+Does this safely by extracting the files from berglas to temp files, copying
+them over, and then deleting the temp files.
+
+Loads the common `key.json` file from
+[berglas](https://github.com/GoogleCloudPlatform/berglas) and copies them over
+to the target machine. See
+[//kube/secrets](https://skia.googlesource.com/buildbot/+/refs/heads/main/kube/secrets/)
+for more details on berglas and Skia secrets.
+
+The key is stored as a kubernetes secret in berglas secrets for the cluster
+`etc` and the secret name `skolo-bot-service-account`.
+
+You can see this secret in the list of all secrets for the `etc` cluster:
+
+ $ ../../kube/secrets/list-secrets-by-cluster.sh etc
+ skolo-service-accounts
+ skolo-bot-service-account
+ skia-rpi-adb-key
+ k3s-node-token
+ authorized_keys
+ ansible-secret-vars
+
+The file is copied into
+`$HOME/.config/gcloud/application_default_credentials.json` so that client
+libraries can find and use this by default.
+
+## Variables
+
+This role uses the `skolo_account` variable defined in
+`//skolo/ansible/group_vars/all.yml` and potentially overridden in `hosts.ini`.
+
+## Security
+
+The `secrets.yml` is only put in a temp file long enough to be copied to the
+target machine, then the temp file is removed by the `clean_up_tempfile`
+handler.
+
+## Example Playbook
+
+ - hosts: '{{ variable_hosts }}'
+
+ roles:
+ - copy_adbkey
diff --git a/skolo/ansible/switchboard/roles/copy_service_account_key/handlers/main.yml b/skolo/ansible/switchboard/roles/copy_service_account_key/handlers/main.yml
new file mode 100644
index 0000000..5f207c5
--- /dev/null
+++ b/skolo/ansible/switchboard/roles/copy_service_account_key/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: clean_up_tempfile
+ delegate_to: 127.0.0.1
+ file:
+ path: '{{ service_account_key.path }}'
+ state: absent
diff --git a/skolo/ansible/switchboard/roles/copy_service_account_key/tasks/main.yml b/skolo/ansible/switchboard/roles/copy_service_account_key/tasks/main.yml
new file mode 100644
index 0000000..9151137
--- /dev/null
+++ b/skolo/ansible/switchboard/roles/copy_service_account_key/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: mktemp
+ delegate_to: 127.0.0.1
+ tempfile:
+ state: directory
+ register: service_account_key
+
+- name: Extract service account key
+ delegate_to: 127.0.0.1
+ command:
+ argv:
+ - '{{ role_path }}/../../../../../kube/secrets/get-secret-at-path.sh'
+ - etc
+ - skolo-bot-service-account
+ - '.data."key.json"'
+ - '{{ service_account_key.path }}/application_default_credentials.json'
+ creates:
+ '{{ service_account_key.path }}/application_default_credentials.json'
+ notify: clean_up_tempfile
+
+- name: Copy service account key
+ copy:
+ src: '{{ service_account_key.path }}/application_default_credentials.json'
+ dest: /home/{{ skolo_account }}/.config/gcloud/
+ owner: '{{ skolo_account }}'
+ group: '{{ skolo_account }}'
+ mode: '0644'