action #122743
closedRotate secrets used in CircleCI as per recommendation
0%
Description
Motivation¶
An email to o3-admins@suse.de is recommending all secrets be replaced because there was a security incident. It's not known if anything was compromised at this time but nevertheless best practice is to replace any secrets.
Acceptance criteria¶
- AC1: All secrets configured in CircleCI are known
- AC2: All secrets configured in CircleCI are replaced
- AC3: Multiple people in QE Tools can access CircleCI projects settings in openQA and openqa-trigger-from-obs
Suggestions¶
- Login at CircleCI with GitHub credentials and check individual projects
- Replace environment variables with new values
- Replace SSH keys with new values
Updated by livdywan over 1 year ago
- Status changed from New to In Progress
- Assignee set to livdywan
I'm taking a look now given the nature of it
Updated by livdywan over 1 year ago
I added a new GITHUB_TOKEN with read-only scope to the environment as documented here.
Maybe openqa-trigger-from-obs also needs to be checked. However I have no access to it because Yuo must have write permissons in order to view the project settings
Updated by livdywan over 1 year ago
- Status changed from In Progress to Feedback
cdywan wrote:
Maybe openqa-trigger-from-obs also needs to be checked. However I have no access to it because
Yuo must have write permissons in order to view the project settings
Checked it with Coolo. There seem to be no tokens besides an XX that we assume to have been put for testing. Deleted it anyway on the off chance.
Updated by livdywan over 1 year ago
- Description updated (diff)
- Priority changed from Immediate to Normal
I'm adding a third AC because of the bus factor identified while trying to update the project settings of openqa-trigger-from-obs. Lowering priority since credentials have been rotated.
Updated by livdywan over 1 year ago
I'll take a look at #122782 shortly which is likely a side effect of my being overly caucious and deleting all secrets
Updated by tinita over 1 year ago
- Related to action #122782: CircleCI openQA "cache" ob fails with: Load key "/home/squamata/.ssh/id_rsa": invalid format added
Updated by tinita over 1 year ago
Updated by livdywan over 1 year ago
I just re-added the deploy key.
tinita wrote:
Also see https://github.com/os-autoinst/openQA/blob/master/.circleci/config.yml#L297
Hrmmm I actually used CircleCI to create a new token. Not sure how I would get a token for os-autoinst-bot via https://github.com/settings/tokens since that's not me.
Updated by tinita over 1 year ago
You need to login as os-autoinst-bot in github and create a new token with write access
Updated by livdywan over 1 year ago
tinita wrote:
You need to login as os-autoinst-bot in github and create a new token with write access
Okay. I did that, generated a new token in the public_repo scope and replaced the GITHUB_TOKEN value in CircleCI.
Updated by tinita over 1 year ago
A dependency PR was successfully created, so that worked
Updated by livdywan over 1 year ago
tinita wrote:
A dependency PR was successfully created, so that worked
So that leaves AC3. I'll check today that least two persons on the team have access to the settings, or everyone if there's no reason to be more restrictive.
Updated by livdywan over 1 year ago
- Tags changed from reactive work to reactive work, infra
Updated by okurz over 1 year ago
- Status changed from Feedback to Resolved
I changed permissions for the "tools-team" in https://github.com/os-autoinst/openqa-trigger-from-obs/settings/access from "Read" to "Admin". cdywan confirmed that now in circleCI they could access https://app.circleci.com/settings/project/github/os-autoinst/openqa-trigger-from-obs . This covers AC3 and completes all open points.