Project

General

Profile

Actions

action #104751

closed

Extend "_SECRET_" variable handling to os-autoinst backend password variables

Added by okurz over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Feature requests
Target version:
Start date:
2022-01-10
Due date:
2022-01-24
% Done:

0%

Estimated time:

Description

Motivation

We already don't write any variable with "SECRET" in the name to vars.json for security reasons. Within os-autoinst we have some security relevant data, e.g. passwords that we should likely treat the same.

Acceptance criteria

  • AC1: Remote backend passwords don't appear in vars.json by default

Suggestions

  • Call git grep '_SECRET_' to find all current handling of SECRET variables
  • Extend that to also look for _PASSWORD
  • Ensure that the values for the backend passwords don't show up in vars.json, e.g. no IPMI_PASSWORD entry as in https://openqa.nue.suse.com/tests/7924361/file/vars.json
  • Consider what happens when cloning such jobs. Do they fail because the password is missing?

Related issues 2 (1 open1 closed)

Related to openQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secretsNew2022-01-25

Actions
Related to openQA Infrastructure - action #156016: [openQA][sle-micro][virtualization] Test slem_virtualization@uefi with Default-encrypted image was not triggered correctly size:MResolvedokurz2024-02-26

Actions
Actions

Also available in: Atom PDF