Project

General

Profile

coordination #105624

[saga][epic] Reconsider how openQA handles secrets

Added by nicksinger 4 months ago. Updated 27 days ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
Feature requests
Target version:
Start date:
2022-01-25
Due date:
% Done:

75%

Estimated time:
(Total: 0.00 h)
Difficulty:

Description

Motivation

In the ongoing effort to improve our security we introduced things like e.g. https://github.com/os-autoinst/os-autoinst/pull/1909 which is a necessary step to improve how we handle passwords/secrets.
I'd like to see that openQA also supports accessing passwords over different channels which are specifically designed to store secrets.
I know that our public cloud testers already had similar challenges. IIUC they currently use their own setup of "vault" (see 3. in Suggestions). Maybe we could unify this approach and apply it to our whole infrastructure.

Ideas

  • Support variables with arbitrary commands to access password managers like e.g. keepass (for small, local installations), pass or whatever the user decides to use.
  • Support GPG encrypted variables (and an according configuration for a private key for openQA)
  • Support common interfaces for software which is specifically designed for such use-cases. E.g. https://www.vaultproject.io/

Subtasks

openQA Infrastructure - action #106365: Improve security for OSD worker credentials broke Gitlab CI/CD deploy of salt in OSD size:MResolvednicksinger

openQA Infrastructure - action #106925: [timeboxed:10h][research] What are best practices and options in the salt and GitLab community to handle secretsResolvedjbaier_cz

action #110227: Stop showing ipmi passwords in autoinst.txt from a ipmi backend job in O3New


Related issues

Related to openQA Project - action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variablesResolved2022-01-102022-01-24

History

#1 Updated by nicksinger 4 months ago

  • Copied from action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables added

#2 Updated by nicksinger 4 months ago

  • Copied from deleted (action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables)

#3 Updated by nicksinger 4 months ago

  • Related to action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables added

#4 Updated by okurz 4 months ago

  • Target version set to future

#5 Updated by cdywan 4 months ago

Another instance https://openqa.opensuse.org/tests/2158135#settings which wasn't covered by #104751

#7 Updated by okurz 3 months ago

  • Tracker changed from action to coordination
  • Subject changed from Reconsider how openQA handles secrets to [saga][epic] Reconsider how openQA handles secrets
  • Priority changed from Normal to Low

Also available in: Atom PDF