trigger-readthedocs: Move secret bits into a dict

What I missed when I layed this out was that you setup a secret like

 - secret:
   name: rtd_credentials
   data:
     username: openstackci
     password: foo

what you have in the job variables is a dictionary called
"rtd_credentials".

It makes it much simpler to use the role with the secret if it accepts
this variable, rather than having to extract the username/password etc
out of the secret dictionary into separate variables.

Additionally, turn on no_log for the uri calls, to avoid potentially
logging any credentials.

Change-Id: I514fb1285196aae0b49a98f0efc21326730e4179
This commit is contained in:
Ian Wienand 2018-08-01 20:21:02 +10:00
parent 5e5ecdb75e
commit bd4e5a54d7
2 changed files with 32 additions and 25 deletions

View File

@ -16,20 +16,23 @@ Trigger readthedocs build for a project
This may come from a secret, however it can not be triggered
without authentication.
.. zuul:rolevar:: rtd_integration_token
.. zuul:rolevar:: rtd_credentials
The webhook integration token. You'll find this value on the
project's "Integrations" dashboard page in RTD. This is expected
to come from a secret. This can be used instead of
username/password combo.
.. zuul:rolevar:: rtd_username
The readthedocs username. If set, this will be used to
authenticate in preference to any token set via
``rtd_integration_token``.
.. zuul:rolevar:: rtd_password
Password for ``rtd_username``. Must be set if password is set.
Complex argument which contains the RTD authentication credentials.
This is expected to come from a secret.
.. zuul:rolevar:: integration_token
The webhook integration token. You'll find this value on the
project's "Integrations" dashboard page in RTD. This can be used
instead of username/password combo.
.. zuul:rolevar:: username
The readthedocs username. If set, this will be used to
authenticate in preference to any token set via
``rtd_integration_token``.
.. zuul:rolevar:: password
Password for ``username``. Must be set if username is set.

View File

@ -5,28 +5,30 @@
- name: Check for an authentication type
fail:
msg: Must set either rtd_username or rtd_integration_token
when: (rtd_username is not defined) and (rtd_integration_token is not defined)
msg: Must set either rtd_credentials.username or rtd_credentials.integration_token
when: (rtd_credentials.username is not defined) and (rtd_credentials.integration_token is not defined)
- when: rtd_username is defined
- when: rtd_credentials.username is defined
block:
- name: Require password
fail:
msg: rtd_password is required when using rtd_username
when: rtd_password is not defined
msg: password is required when using rtd_credentials.username
when: rtd_credentials.rtd_password is not defined
- name: Trigger readthedocs build webhook via authentication
uri:
method: POST
url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/'
user: '{{ rtd_username }}'
password: '{{ rtd_password }}'
user: '{{ rtd_credentials.username }}'
password: '{{ rtd_credentials.password }}'
# NOTE(ianw): testing it seems the API doesn't respond with
# 401 so this is required
force_basic_auth: yes
# avoid logging any credentials
no_log: true
- when: rtd_integration_token is defined and
rtd_username is not defined
- when: rtd_credentials.integration_token is defined and
rtd_credentials.username is not defined
block:
- name: Trigger readthedocs build webhook via token
uri:
@ -34,5 +36,7 @@
url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/'
body_format: form-urlencoded
body:
token: '{{ rtd_integration_token }}'
token: '{{ rtd_credentials.integration_token }}'
follow_redirects: all
# avoid logging any credentials
no_log: true