coordination #105624
open[saga][epic] Reconsider how openQA handles secrets
34%
Description
Motivation¶
In the ongoing effort to improve our security we introduced things like e.g. https://github.com/os-autoinst/os-autoinst/pull/1909 which is a necessary step to improve how we handle passwords/secrets.
I'd like to see that openQA also supports accessing passwords over different channels which are specifically designed to store secrets.
I know that our public cloud testers already had similar challenges. IIUC they currently use their own setup of "vault" (see 3. in Suggestions). Maybe we could unify this approach and apply it to our whole infrastructure.
Ideas¶
- Support variables with arbitrary commands to access password managers like e.g. keepass (for small, local installations), pass or whatever the user decides to use.
- Support GPG encrypted variables (and an according configuration for a private key for openQA)
- Support common interfaces for software which is specifically designed for such use-cases. E.g. https://www.vaultproject.io/
Updated by nicksinger almost 3 years ago
- Copied from action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables added
Updated by nicksinger almost 3 years ago
- Copied from deleted (action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables)
Updated by nicksinger almost 3 years ago
- Related to action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables added
Updated by livdywan almost 3 years ago
Another instance https://openqa.opensuse.org/tests/2158135#settings which wasn't covered by #104751
Updated by okurz over 2 years ago
- Tracker changed from action to coordination
- Subject changed from Reconsider how openQA handles secrets to [saga][epic] Reconsider how openQA handles secrets
- Priority changed from Normal to Low
Updated by xlai about 2 years ago
@okurz, shall #114766 be linked to this parent ticket? BTW, would you please grant me access to it?
Updated by livdywan about 2 years ago
xlai wrote:
@okurz, shall #114766 be linked to this parent ticket? BTW, would you please grant me access to it?
Please try again. You should have access to it.