Project

General

Profile

Actions

action #160325

closed

openQA Project (public) - coordination #105624: [saga][epic] Reconsider how openQA handles secrets

openQA Project (public) - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication

[qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t

Added by szarate 8 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Infrastructure
Start date:
2024-05-14
Due date:
% Done:

0%

Estimated time:
Difficulty:
Sprint:
QE-Core: May Sprint 24 (May 07 - Jun 04)

Description

Motivation

In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments"

Goals

  • G1: Autoyast profiles in os-autoinst-distri-opensuse/data have variables instead of nots3cr3t password

Suggestions

In theory, this should be fairly straightforward, however, there are cases where the password is already hashed (i.e, slepos) where we might need to contact people from other areas

In the end, this should support the autoyast part of #157555


Related issues 2 (1 open1 closed)

Related to openQA Tests (public) - action #160334: [qe-core] Add CI/CD check to avoid uses of nots3cr3t or other hardcoded password in pull requestsBlockedtinawang1232024-09-06

Actions
Copied from openQA Tests (public) - action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:SRejectedokurz

Actions
Actions #1

Updated by szarate 8 months ago

  • Copied from action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S added
Actions #2

Updated by szarate 8 months ago

  • Tags changed from password, security to password, security, qe-core-may-sprint
  • Subject changed from [qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S to [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t
  • Description updated (diff)
Actions #3

Updated by szarate 8 months ago

  • Related to action #160334: [qe-core] Add CI/CD check to avoid uses of nots3cr3t or other hardcoded password in pull requests added
Actions #4

Updated by szarate 8 months ago

  • Sprint set to QE-Core: May Sprint 25 (May 07 - Jun 04)
Actions #5

Updated by szarate 8 months ago

  • Category set to Infrastructure
Actions #6

Updated by rfan1 7 months ago

  • Status changed from New to Workable
  • Assignee set to rfan1
Actions #7

Updated by rfan1 7 months ago

Action items:

  1. Change hardcode password to {{PASSWORD}}
  2. Without setting PASSWORD, the default password $testapi::password will be used
  3. Change the logic for prepare_profile to adjust password if needed
Actions #8

Updated by rfan1 7 months ago

  • Status changed from Workable to In Progress
Actions #10

Updated by rfan1 7 months ago

Actions #11

Updated by rfan1 7 months ago

  • Status changed from In Progress to Feedback
Actions #12

Updated by rfan1 7 months ago

https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19442

Currently, we have both xml and xml.ep format for autoyast configuation files, that means we need to handle both staic and dynamic files at the same time.

We can enhance this logic in future.

Actions #13

Updated by rfan1 7 months ago

  • Status changed from Feedback to Resolved
Actions #14

Updated by szarate 6 months ago

rfan1 wrote in #note-12:

https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19442

Currently, we have both xml and xml.ep format for autoyast configuation files, that means we need to handle both staic and dynamic files at the same time.

We can enhance this logic in future.

yep, we can use: https://docs.mojolicious.org/Mojo/Template

Actions

Also available in: Atom PDF