fix(renovate-bot): Change the order of precedence for deciding between Vault and Variable.

Issue: gitlab-com/gl-infra/common-ci-tasks#29

fix(renovate-bot): Change the order of precedence for deciding between Vault and Variable.
34b075df · Florian Forster · 9f8454d3 · 34b075df · 34b075df
Unverified Commit 34b075df authored 4 months ago by Florian Forster
--- a/internal/renovate-bot/vault.yml
+++ b/internal/renovate-bot/vault.yml
 # DO NOT INCLUDE DIRECTLY!
+spec:
+  inputs:
+    vault:
 ---
 .renovate_bot_auth_config:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.gitlab.net
  variables:
-    VAULT_RENOVATE_GITLAB_TOKEN_PATH: access_tokens/${VAULT_SECRETS_PATH}/renovate-bot
    RENOVATE_BOT_AUTH_SOURCE: "Vault"
  secrets:
    RENOVATE_GITLAB_TOKEN:
      file: false
-      vault: "${VAULT_RENOVATE_GITLAB_TOKEN_PATH}/token@ci"
+      vault: $[[ inputs.vault ]]
      token: $VAULT_ID_TOKEN
    RENOVATE_GITHUB_TOKEN:
      file: false

--- a/renovate-bot.yml
+++ b/renovate-bot.yml
@@ -5,17 +5,26 @@ spec:
      default: validate
    renovate_bot_stage:
      default: renovate_bot
+    vault:
+      default: ""
 ---
 include:
-  # No vault? fall back to legacy variable based configuration
+  # Explicit vault path? Use it to obtain the RENOVATE_GITLAB_TOKEN for Renovate
+  - local: 'internal/renovate-bot/vault.yml'
+    rules:
+      - if: '"$[[ inputs.vault | expand_vars ]]" != ""'
+    inputs:
+      vault: "$[[ inputs.vault | expand_vars ]]"
+  # RENOVATE_GITLAB_TOKEN CI variable? use the legacy variable based configuration
  - local: 'internal/renovate-bot/variable.yml'
    rules:
-      - if: '$VAULT_SECRETS_PATH == null || $VAULT_SECRETS_PATH == ""'
-
-  # Vault? Use it to obtain the RENOVATE_GITLAB_TOKEN for Renovate
+      - if: '"$[[ inputs.vault | expand_vars ]]" == "" && $RENOVATE_GITLAB_TOKEN != null'
+  # Default: obtain the RENOVATE_GITLAB_TOKEN from a well-known Vault path
  - local: 'internal/renovate-bot/vault.yml'
    rules:
-      - if: '$VAULT_SECRETS_PATH != null && $VAULT_SECRETS_PATH != ""'
+      - if: '"$[[ inputs.vault | expand_vars ]]" == "" && $RENOVATE_GITLAB_TOKEN == null'
+    inputs:
+      vault: "access_tokens/${VAULT_SECRETS_PATH}/renovate-bot/token@ci"
  
 .base_renovate_bot:
  image: