action #160325
closedopenQA Project (public) - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
openQA Project (public) - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication
[qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t
0%
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments"
Goals¶
- G1: Autoyast profiles in
os-autoinst-distri-opensuse/data
have variables instead of nots3cr3t password
Suggestions¶
In theory, this should be fairly straightforward, however, there are cases where the password is already hashed (i.e, slepos) where we might need to contact people from other areas
In the end, this should support the autoyast part of #157555
Updated by szarate 8 months ago
- Copied from action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S added
Updated by szarate 8 months ago
- Tags changed from password, security to password, security, qe-core-may-sprint
- Subject changed from [qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S to [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3t
- Description updated (diff)
Updated by szarate 8 months ago
- Related to action #160334: [qe-core] Add CI/CD check to avoid uses of nots3cr3t or other hardcoded password in pull requests added
Updated by ggardet_arm 7 months ago
rfan1 wrote in #note-8:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19399
This PR breaks some tests, such as https://openqa.opensuse.org/tests/4230212#step/console/4
Updated by rfan1 7 months ago
Will try to handle a new failure like
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19441
Updated by rfan1 7 months ago
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19442
Currently, we have both xml and xml.ep format for autoyast configuation files, that means we need to handle both staic and dynamic files at the same time.
We can enhance this logic in future.
Updated by szarate 6 months ago
rfan1 wrote in #note-12:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/19442
Currently, we have both xml and xml.ep format for autoyast configuation files, that means we need to handle both staic and dynamic files at the same time.
We can enhance this logic in future.
yep, we can use: https://docs.mojolicious.org/Mojo/Template