action #122743
closed
Rotate secrets used in CircleCI as per recommendation
Added by livdywan over 1 year ago.
Updated over 1 year ago.
Description
Motivation¶
An email to o3-admins@suse.de is recommending all secrets be replaced because there was a security incident. It's not known if anything was compromised at this time but nevertheless best practice is to replace any secrets.
Acceptance criteria¶
- AC1: All secrets configured in CircleCI are known
- AC2: All secrets configured in CircleCI are replaced
- AC3: Multiple people in QE Tools can access CircleCI projects settings in openQA and openqa-trigger-from-obs
Suggestions¶
- Login at CircleCI with GitHub credentials and check individual projects
- Replace environment variables with new values
- Replace SSH keys with new values
- Status changed from New to In Progress
- Assignee set to livdywan
I'm taking a look now given the nature of it
I added a new GITHUB_TOKEN with read-only scope to the environment as documented here.
Maybe openqa-trigger-from-obs also needs to be checked. However I have no access to it because Yuo must have write permissons in order to view the project settings
- Target version set to Ready
- Status changed from In Progress to Feedback
cdywan wrote:
Maybe openqa-trigger-from-obs also needs to be checked. However I have no access to it because Yuo must have write permissons in order to view the project settings
Checked it with Coolo. There seem to be no tokens besides an XX that we assume to have been put for testing. Deleted it anyway on the off chance.
- Description updated (diff)
- Priority changed from Immediate to Normal
I'm adding a third AC because of the bus factor identified while trying to update the project settings of openqa-trigger-from-obs. Lowering priority since credentials have been rotated.
I'll take a look at #122782 shortly which is likely a side effect of my being overly caucious and deleting all secrets
- Description updated (diff)
- Related to action #122782: CircleCI openQA "cache" ob fails with: Load key "/home/squamata/.ssh/id_rsa": invalid format added
You need to login as os-autoinst-bot in github and create a new token with write access
tinita wrote:
You need to login as os-autoinst-bot in github and create a new token with write access
Okay. I did that, generated a new token in the public_repo scope and replaced the GITHUB_TOKEN value in CircleCI.
tinita wrote:
A dependency PR was successfully created, so that worked
So that leaves AC3. I'll check today that least two persons on the team have access to the settings, or everyone if there's no reason to be more restrictive.
- Tags changed from reactive work to reactive work, infra
- Status changed from Feedback to Resolved
Also available in: Atom
PDF