ci-automation: Fix credentials handling in digital ocean

2025-11-24 03:51:33 +01:00 · 2022-05-06 09:16:04 +02:00 · 2022-05-06 09:16:04 +02:00 · 3b3cffabc8
commit 3b3cffabc8
parent 3c119f14b2
2 changed files with 5 additions and 4 deletions
--- a/ci-automation/ci-config.env
+++ b/ci-automation/ci-config.env
@ -94,4 +94,4 @@ GCE_PARALLEL="${PARALLEL_TESTS:-4}"
 : ${DIGITALOCEAN_MACHINE_SIZE:='s-2vcpu-2gb'}
 DIGITALOCEAN_PARALLEL="${PARALLEL_TESTS:-8}"
 # DIGITALOCEAN_TOKEN_JSON env var is used for credentials, and should
-# come from sdk_container/.env
+# come from sdk_container/.env. It must be base64-encoded.
--- a/ci-automation/ci_automation_common.sh
+++ b/ci-automation/ci_automation_common.sh
@ -275,8 +275,9 @@ function url_from_template() {
 # --

 # Puts a secret into a file, while trying for the secret to not end up
-# on a filesystem at all. A path to the file with the secret in
-# /proc in put into the chosen variable.
+# on a filesystem at all. A path to the file with the secret in /proc
+# in put into the chosen variable. The secret is assumed to be
+# base64-encoded.
 #
 # Typical use:
 #   secret_file=''
@ -294,7 +295,7 @@ function secret_to_file() {

    exec {fd}<>"${tmpfile}"
    rm -f "${tmpfile}"
-    echo "${secret}" >&${fd}
+    echo "${secret}" | base64 --decode >&${fd}
    config_ref="/proc/${$}/fd/${fd}"
 }
 # --