fix: merge with main

.github/workflows/build.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/prerelease.yml

@@ -20,7 +20,7 @@ jobs:
         fetch-depth: 0
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'
@@ -40,7 +40,7 @@ jobs:
         make build-static-ci
 
     - name: publish
-      uses: elgohr/Publish-Docker-Github-Action@v4
+      uses: elgohr/Publish-Docker-Github-Action@v5
       with:
         name: target/vela-worker
         cache: true
@@ -49,7 +49,7 @@ jobs:
         password: ${{ secrets.DOCKER_PASSWORD }}
 
     - name: publish-alpine
-      uses: elgohr/Publish-Docker-Github-Action@v4
+      uses: elgohr/Publish-Docker-Github-Action@v5
       with:
         name: target/vela-worker
         cache: true

.github/workflows/publish.yml

@@ -19,7 +19,7 @@ jobs:
         fetch-depth: 0
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'
@@ -34,15 +34,15 @@ jobs:
         make build-static-ci
 
     - name: publish
-      uses: elgohr/Publish-Docker-Github-Action@v4
+      uses: elgohr/Publish-Docker-Github-Action@v5
       with:
         name: target/vela-worker
         cache: true
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
 
     - name: publish-alpine
-      uses: elgohr/Publish-Docker-Github-Action@v4
+      uses: elgohr/Publish-Docker-Github-Action@v5
       with:
         name: target/vela-worker
         cache: true

.github/workflows/reviewdog.yml

@@ -14,7 +14,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'
@@ -37,7 +37,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/spec.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'
@@ -29,8 +29,8 @@ jobs:
 
     - name: create spec
       run: |
-        make spec-install
-        make spec
+        sudo make spec-install
+        sudo make spec
 
     - name: upload spec
       uses: skx/github-action-publish-binaries@master

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/validate.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.gitignore

@@ -35,6 +35,12 @@ release/
 *.iws
 *.xml
 
+# VSCode project folder
+.vscode/
+
+# VSCode project files
+__debug_bin
+
 # Secrets environment file
 secrets.env
 

api/register.go

@@ -0,0 +1,129 @@
+// Copyright (c) 2023 Target Brands, Inc. All rights reserved.
+//
+// Use of this source code is governed by the LICENSE file in this repository.
+
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-vela/worker/router/middleware/token"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// swagger:operation POST /register system Register
+//
+// Fill registration token channel in worker to continue operation
+//
+// ---
+// produces:
+// - application/json
+// parameters:
+// security:
+//   - ApiKeyAuth: []
+// responses:
+//   '200':
+//     description: Successfully passed token to worker
+//     schema:
+//       type: string
+//   '401':
+//     description: No token was passed
+//     schema:
+//       "$ref": "#/definitions/Error"
+//   '500':
+//     description: Unable to pass token to worker
+//     schema:
+//       "$ref": "#/definitions/Error"
+
+// Register will pass the token given in the request header to the register token
+// channel of the worker. This will unblock operation if the worker has not been
+// registered and the provided registration token is valid.
+func Register(c *gin.Context) {
+	// extract the worker hostname that was packed into gin context
+	w, ok := c.Get("worker-hostname")
+	if !ok {
+		c.JSON(http.StatusInternalServerError, "no worker hostname in the context")
+		return
+	}
+
+	// extract the register token channel that was packed into gin context
+	v, ok := c.Get("register-token")
+	if !ok {
+		c.JSON(http.StatusInternalServerError, "no register token channel in the context")
+		return
+	}
+
+	// make sure we configured the channel properly
+	rChan, ok := v.(chan string)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, "register token channel in the context is the wrong type")
+		return
+	}
+
+	// if token is present in the channel, deny registration
+	// this will likely never happen as the channel is offloaded immediately
+	if len(rChan) > 0 {
+		c.JSON(http.StatusOK, "worker already registered")
+		return
+	}
+
+	// retrieve auth token from header
+	token, err := token.Retrieve(c.Request)
+	if err != nil {
+		// an error occurs when no token was passed
+		c.JSON(http.StatusUnauthorized, err)
+		return
+	}
+
+	// extract the subject from the token
+	sub, err := getSubjectFromToken(token)
+	if err != nil {
+		c.JSON(http.StatusUnauthorized, err)
+		return
+	}
+
+	// make sure we configured the hostname properly
+	hostname, ok := w.(string)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, "worker hostname in the context is the wrong type")
+		return
+	}
+
+	// if the subject doesn't match the worker hostname return an error
+	if sub != hostname {
+		c.JSON(http.StatusUnauthorized, "worker hostname is invalid")
+		return
+	}
+
+	// write registration token to auth token channel
+	rChan <- token
+
+	c.JSON(http.StatusOK, "successfully passed token to worker")
+}
+
+// getSubjectFromToken is a helper function to extract
+// the subject from the token claims.
+func getSubjectFromToken(token string) (string, error) {
+	// create a new JWT parser
+	j := jwt.NewParser()
+
+	// parse the payload
+	t, _, err := j.ParseUnverified(token, jwt.MapClaims{})
+	if err != nil {
+		return "", fmt.Errorf("unable to parse token")
+	}
+
+	sub, err := t.Claims.GetSubject()
+	if err != nil {
+		return "", fmt.Errorf("unable to get subject from token")
+	}
+
+	// make sure there was a subject defined
+	if len(sub) == 0 {
+		return "", fmt.Errorf("no subject defined in token")
+	}
+
+	return sub, nil
+}

cmd/vela-worker/client.go

@@ -11,7 +11,7 @@ import (
 )
 
 // helper function to setup the queue from the CLI arguments.
-func setupClient(s *Server) (*vela.Client, error) {
+func setupClient(s *Server, token string) (*vela.Client, error) {
 	logrus.Debug("creating vela client from worker configuration")
 
 	// create a new Vela client from the server configuration
@@ -21,11 +21,10 @@ func setupClient(s *Server) (*vela.Client, error) {
 	if err != nil {
 		return nil, err
 	}
-
 	// set token for authentication with the server
 	//
 	// https://pkg.go.dev/github.com/go-vela/sdk-go/vela?tab=doc#AuthenticationService.SetTokenAuth
-	vela.Authentication.SetTokenAuth(s.Secret)
+	vela.Authentication.SetTokenAuth(token)
 
 	return vela, nil
 }