action #160325
closedopenQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication
[qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t
0%
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments"
Goals¶
- G1: Autoyast profiles in
os-autoinst-distri-opensuse/data
have variables instead of nots3cr3t password
Suggestions¶
In theory, this should be fairly straightforward, however, there are cases where the password is already hashed (i.e, slepos) where we might need to contact people from other areas
In the end, this should support the autoyast part of #157555
Updated by szarate 2 months ago
- Copied from action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S added
Updated by szarate 2 months ago
- Tags changed from password, security to password, security, qe-core-may-sprint
- Subject changed from [qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S to [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t
- Description updated (diff)
Updated by szarate 2 months ago
- Related to action #160334: [qe-core] Add CI/CD check to avoid uses of nots3cr3t or other hardcoded password in pull requests added
Updated by rfan1 about 2 months ago
- Status changed from New to Workable
- Assignee set to rfan1
Updated by rfan1 about 2 months ago
Action items:
- Change hardcode password to {{PASSWORD}}
- Without setting
PASSWORD
, the default password$testapi::password
will be used - Change the logic for
prepare_profile
to adjust password if needed
Updated by rfan1 about 2 months ago
- Status changed from Workable to In Progress
Updated by ggardet_arm about 2 months ago
rfan1 wrote in #note-8:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19399
This PR breaks some tests, such as https://openqa.opensuse.org/tests/4230212#step/console/4
Updated by rfan1 about 1 month ago
Will try to handle a new failure like
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19441
Updated by rfan1 about 1 month ago
- Status changed from In Progress to Feedback
Updated by rfan1 about 1 month ago
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19442
Currently, we have both xml and xml.ep format for autoyast configuation files, that means we need to handle both staic and dynamic files at the same time.
We can enhance this logic in future.
Updated by szarate 9 days ago
rfan1 wrote in #note-12:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19442
Currently, we have both xml and xml.ep format for autoyast configuation files, that means we need to handle both staic and dynamic files at the same time.
We can enhance this logic in future.
yep, we can use: https://docs.mojolicious.org/Mojo/Template