Project

General

Profile

Actions

action #122743

closed

Rotate secrets used in CircleCI as per recommendation

Added by livdywan over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
2023-01-05
Due date:
% Done:

0%

Estimated time:

Description

Motivation

An email to o3-admins@suse.de is recommending all secrets be replaced because there was a security incident. It's not known if anything was compromised at this time but nevertheless best practice is to replace any secrets.

Acceptance criteria

  • AC1: All secrets configured in CircleCI are known
  • AC2: All secrets configured in CircleCI are replaced
  • AC3: Multiple people in QE Tools can access CircleCI projects settings in openQA and openqa-trigger-from-obs

Suggestions

  • Login at CircleCI with GitHub credentials and check individual projects
  • Replace environment variables with new values
  • Replace SSH keys with new values

Related issues 1 (0 open1 closed)

Related to openQA Project - action #122782: CircleCI openQA "cache" ob fails with: Load key "/home/squamata/.ssh/id_rsa": invalid formatResolvedokurz2023-01-06

Actions
Actions #1

Updated by livdywan over 1 year ago

  • Status changed from New to In Progress
  • Assignee set to livdywan

I'm taking a look now given the nature of it

Actions #2

Updated by livdywan over 1 year ago

I added a new GITHUB_TOKEN with read-only scope to the environment as documented here.

Maybe openqa-trigger-from-obs also needs to be checked. However I have no access to it because Yuo must have write permissons in order to view the project settings

Actions #3

Updated by livdywan over 1 year ago

  • Target version set to Ready
Actions #4

Updated by livdywan over 1 year ago

  • Status changed from In Progress to Feedback

cdywan wrote:

Maybe openqa-trigger-from-obs also needs to be checked. However I have no access to it because Yuo must have write permissons in order to view the project settings

Checked it with Coolo. There seem to be no tokens besides an XX that we assume to have been put for testing. Deleted it anyway on the off chance.

Actions #5

Updated by livdywan over 1 year ago

  • Description updated (diff)
  • Priority changed from Immediate to Normal

I'm adding a third AC because of the bus factor identified while trying to update the project settings of openqa-trigger-from-obs. Lowering priority since credentials have been rotated.

Actions #6

Updated by livdywan over 1 year ago

I'll take a look at #122782 shortly which is likely a side effect of my being overly caucious and deleting all secrets

Actions #7

Updated by tinita over 1 year ago

  • Description updated (diff)
Actions #8

Updated by tinita over 1 year ago

  • Related to action #122782: CircleCI openQA "cache" ob fails with: Load key "/home/squamata/.ssh/id_rsa": invalid format added
Actions #10

Updated by livdywan over 1 year ago

I just re-added the deploy key.

tinita wrote:

Also see https://github.com/os-autoinst/openQA/blob/master/.circleci/config.yml#L297

Hrmmm I actually used CircleCI to create a new token. Not sure how I would get a token for os-autoinst-bot via https://github.com/settings/tokens since that's not me.

Actions #11

Updated by tinita over 1 year ago

You need to login as os-autoinst-bot in github and create a new token with write access

Actions #12

Updated by livdywan over 1 year ago

tinita wrote:

You need to login as os-autoinst-bot in github and create a new token with write access

Okay. I did that, generated a new token in the public_repo scope and replaced the GITHUB_TOKEN value in CircleCI.

Actions #13

Updated by tinita over 1 year ago

A dependency PR was successfully created, so that worked

Actions #14

Updated by livdywan over 1 year ago

tinita wrote:

A dependency PR was successfully created, so that worked

So that leaves AC3. I'll check today that least two persons on the team have access to the settings, or everyone if there's no reason to be more restrictive.

Actions #15

Updated by livdywan over 1 year ago

  • Tags changed from reactive work to reactive work, infra
Actions #16

Updated by okurz over 1 year ago

  • Status changed from Feedback to Resolved

I changed permissions for the "tools-team" in https://github.com/os-autoinst/openqa-trigger-from-obs/settings/access from "Read" to "Admin". cdywan confirmed that now in circleCI they could access https://app.circleci.com/settings/project/github/os-autoinst/openqa-trigger-from-obs . This covers AC3 and completes all open points.

Actions

Also available in: Atom PDF