Project

General

Profile

Actions

coordination #105624

open

[saga][epic] Reconsider how openQA handles secrets

Added by nicksinger over 2 years ago. Updated 1 day ago.

Status:
New
Priority:
High
Assignee:
-
Category:
Feature requests
Target version:
Start date:
2022-01-25
Due date:
2024-07-03 (Due in 13 days)
% Done:

31%

Estimated time:
(Total: 0.00 h)

Description

Motivation

In the ongoing effort to improve our security we introduced things like e.g. https://github.com/os-autoinst/os-autoinst/pull/1909 which is a necessary step to improve how we handle passwords/secrets.
I'd like to see that openQA also supports accessing passwords over different channels which are specifically designed to store secrets.
I know that our public cloud testers already had similar challenges. IIUC they currently use their own setup of "vault" (see 3. in Suggestions). Maybe we could unify this approach and apply it to our whole infrastructure.

Ideas

  • Support variables with arbitrary commands to access password managers like e.g. keepass (for small, local installations), pass or whatever the user decides to use.
  • Support GPG encrypted variables (and an according configuration for a private key for openQA)
  • Support common interfaces for software which is specifically designed for such use-cases. E.g. https://www.vaultproject.io/

Subtasks 25 (13 open12 closed)

openQA Infrastructure - action #106365: Improve security for OSD worker credentials broke Gitlab CI/CD deploy of salt in OSD size:MResolvednicksinger2022-01-25

Actions
openQA Infrastructure - action #106925: [timeboxed:10h][research] What are best practices and options in the salt and GitLab community to handle secretsResolvedjbaier_cz2022-02-16

Actions
action #110227: Stop showing ipmi passwords in autoinst.txt from a ipmi backend job in O3Resolved2022-04-24

Actions
coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authenticationBlockedokurz2024-03-182024-07-03

Actions
openQA Infrastructure - action #157468: Handle internal test machines with compromised root password size:MResolvedokurz2024-03-18

Actions
openQA Tests - action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:SWorkable

Actions
openQA Tests - action #157744: [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobsWorkable2024-03-22

Actions
openQA Infrastructure - action #157750: Better secure the networks to have s390kvm… (and others) less accessibleResolvedokurz2024-03-22

Actions
openQA Infrastructure - action #158242: Prevent ssh access to test VMs on svirt hypervisor hosts with firewall size:MRejecteddheidler2024-03-28

Actions
action #158455: [spike][timeboxed:10h] openQA worker native on s390xResolvedokurz2024-03-28

Actions
action #158628: Prevent passwords being logged in s390x kvm test casesResolvedokurz2024-04-08

Actions
action #158985: openQA worker native on s390xResolvedokurz

Actions
openQA Infrastructure - action #159063: s390x qemu backend host within SUSE networksNew2024-04-16

Actions
openQA Infrastructure - action #159066: network-level firewall preventing direct ssh+vnc access to openQA test VMs size:MResolvednicksinger2024-03-28

Actions
openQA Infrastructure - action #159069: network-level firewall preventing direct ssh+vnc access to all machines within the oqa.prg2.suse.org network if neededRejectedokurz2024-03-28

Actions
action #159621: Make tests work with native openQA worker s390x qemu size:MWorkable

Actions
openQA Tests - action #160325: [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3tResolvedrfan12024-05-14

Actions
openQA Infrastructure - action #160436: Use s390zl19+s390zl1a in production size:SWorkable

Actions
openQA Tests - action #160334: [qe-core] Add CI/CD check to avoid uses of nots3cr3t or other hardcoded password in pull requestsWorkable2024-05-14

Actions
coordination #161936: [epic] Consider using https://confluence.suse.com/display/IAM/SecretOps+-+Hashicorp+VaultNew2024-06-07

Actions
coordination #162080: [epic] Hide SCC regcodes like secrets and passwordsNew2023-10-27

Actions
action #138653: Ensure our handling of "secrets", i.e. _SECRET variables, is documentedNew2023-10-27

Actions
action #162083: os-autoinst support for custom secret hidingNewokurz2024-06-11

Actions
action #162086: openQA support for custom secret hidingNew2024-06-11

Actions
action #162089: Hide SCC regcodes from OSD tests, e.g. SCC_REGCODENew2024-06-11

Actions

Related issues 1 (0 open1 closed)

Related to openQA Project - action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variablesResolvedokurz2022-01-102022-01-24

Actions
Actions #1

Updated by nicksinger over 2 years ago

  • Copied from action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables added
Actions #2

Updated by nicksinger over 2 years ago

  • Copied from deleted (action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables)
Actions #3

Updated by nicksinger over 2 years ago

  • Related to action #104751: Extend "_SECRET_" variable handling to os-autoinst backend password variables added
Actions #4

Updated by okurz over 2 years ago

  • Target version set to future
Actions #5

Updated by livdywan over 2 years ago

Another instance https://openqa.opensuse.org/tests/2158135#settings which wasn't covered by #104751

Actions #7

Updated by okurz over 2 years ago

  • Tracker changed from action to coordination
  • Subject changed from Reconsider how openQA handles secrets to [saga][epic] Reconsider how openQA handles secrets
  • Priority changed from Normal to Low
Actions #8

Updated by xlai almost 2 years ago

@okurz, shall #114766 be linked to this parent ticket? BTW, would you please grant me access to it?

Actions #10

Updated by livdywan almost 2 years ago

xlai wrote:

@okurz, shall #114766 be linked to this parent ticket? BTW, would you please grant me access to it?

Please try again. You should have access to it.

Actions #11

Updated by okurz 3 months ago

  • Subtask #157537 added
Actions #12

Updated by szarate about 1 month ago

  • Subtask #160334 added
Actions #13

Updated by okurz 13 days ago

  • Subtask #161936 added
Actions #15

Updated by okurz 9 days ago

  • Subtask #162080 added
Actions

Also available in: Atom PDF