-
Notifications
You must be signed in to change notification settings - Fork 63
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
81 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,19 +18,66 @@ modify the repository. Fedora Copr team folks can only access a subset of | |
| stored credentials (with a subset of available playbooks) through the | ||
| ``rbac-playbook`` wrapper. | ||
|
|
||
| Since no Fedora Copr team member is member of the ``sysadmin-main`` FAS group, | ||
| Since no Fedora Copr team member is member of the `sysadmin-main FAS group`_, | ||
| we have to submit tickets `against the fedora-infra team <infra issues>`_ | ||
| whenever we need to modify the ``ansible-private`` repo. For the "creds | ||
| rotation" time, it might be better to grab a ``sysadmin-member`` on call and | ||
| batch-process all the stuff. | ||
| rotation" time, it might be better to grab a ``sysadmin-main`` member on call | ||
| and batch-process all the stuff at once. | ||
|
|
||
| Note: There's the `AWX proposal`_ which will probably make this much more | ||
| granular and convenient, perhaps together with `Vault proposal`_. | ||
| .. note:: | ||
| There's the `AWX proposal`_ which will probably make this much more granular | ||
| and convenient, perhaps together with `Vault proposal`_. | ||
|
|
||
| On top of this, Copr Team has access to a Bitwaarden account where we store | ||
| other passwords that are not strictly related to automation (mailing list | ||
| passwords, stuff related to manual release processes, etc.). Ask | ||
| ``[email protected]`` if you believe you need something from there. | ||
|
|
||
| SSH access to our systems | ||
| ------------------------- | ||
|
|
||
| Anyone who is in the ``sysadmin-main`` group can ssh-as-root onto our systems, | ||
| together with explicit administrators mentioned in the `root_auth_users`_ config | ||
| option. Users' keys are automatically added into ``/root/.ssh/authorized_keys`` | ||
| when the corresponding `playbook is run <how_to_upgrade_persistent_instances>`_. | ||
|
|
||
|
|
||
| Group membership | ||
| ---------------- | ||
|
|
||
| - `FAS copr-sig`_ group, aka ``[email protected]`` e-mail | ||
|
|
||
| The e-mail is jus alias (proxy to team members' INBOXes, not a mailing | ||
| list), and the group is receiving various reports related to Fedora Copr | ||
| operation (e.g. crontab e-mails, Nagios reports, etc.). | ||
|
|
||
| Members of this group are also assigned as "default assignees" to various | ||
| Fedora components related to Copr. Bug reports are automatically delivered | ||
| to that e-mail. | ||
|
|
||
| - `FAS sysadmin-copr`_ group, aka ``[email protected]`` e-mail | ||
|
|
||
| Members in this group are able to execute Fedora Copr related playbooks (SSH | ||
| to batcave machine, and run them there). Members of this group can also SSH | ||
| to all of Fedora Copr infrastructure machines and hypervisors. | ||
|
|
||
| - `FAS gitcopr`_ group | ||
|
|
||
| TODO | ||
|
|
||
| - `FAS aws-copr`_ group | ||
|
|
||
| TODO | ||
|
|
||
| - `GitHub fedora-copr/copr-team`_ | ||
|
|
||
| This is the group of upstream Copr. Members have the rights to merge | ||
| pull-requests in the main `Copr repo`_. | ||
|
|
||
|
|
||
| Bitwarden account | ||
| ----------------- | ||
|
|
||
| Copr Team uses Bitwarden account where they store other passwords that are not | ||
| strictly related to automation (mailing list passwords, stuff related to manual | ||
| release processes, etc.). Ask ``[email protected]`` if you believe you need | ||
| something from there. | ||
|
|
||
|
|
||
| General secret variables | ||
|
|
@@ -39,7 +86,6 @@ General secret variables | |
| The variables are defined in ``/srv/private/ansible/vars.yml`` (private git | ||
| checkout on batcave). | ||
|
|
||
|
|
||
| - **IBM Cloud access** | ||
|
|
||
| The ``{{ ibmcloud_token_file }}`` file is created on ``copr-backend`` to | ||
|
|
@@ -59,7 +105,7 @@ checkout on batcave). | |
|
|
||
| - **Copr FE/BE Token** | ||
|
|
||
| There's the `{{ copr_backend_password }}`` secret variable that is used on | ||
| There's the ``{{ copr_backend_password }}`` secret variable that is used on | ||
| several places. It is used for ``Frontend <-> Backend <-> DistGit`` | ||
| authentication. | ||
|
|
||
|
|
@@ -79,20 +125,42 @@ Secret files | |
| actually start machines on hypervisors (virsh over ssh). This deserves a | ||
| split to multiple keys to simplify the rotation work. | ||
|
|
||
| **SSL Keys using letsencrypt** | ||
| - **SSL Keys using letsencrypt** | ||
|
|
||
| For copr backend, we "backup" our currently issued LetsEncrypt certificates | ||
| and keys on Batcave, this is to simplify our life while migrating the | ||
| Backend role from one infrastructure machine to another (moving from | ||
| ``Fedora N`` to ``Fedora N+2`` typically. These files are not stored in | ||
| ``ansible-private.git`` though. | ||
|
|
||
| **Private key for Keygen** | ||
| - **Private key for Keygen** | ||
|
|
||
| There's the ``{{ private }}/files/copr/keygen/backup_key.asc`` file, the | ||
| main private key for Fedora Copr keygen. | ||
|
|
||
|
|
||
| Rotation instructions | ||
| --------------------- | ||
|
|
||
| 1. Go through all the secret variables and files mentioned above and rotate | ||
| them. | ||
|
|
||
| 2. Take a look at the Bitwarden acount and rotate all credentials there, each | ||
| entry should self-document itself. | ||
|
|
||
| 3. Cleanup the SSH access. | ||
|
|
||
|
|
||
|
|
||
| .. _`Ansible SOP`: https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/ansible/ | ||
| .. _`infra issues`: https://pagure.io/fedora-infrastructure/new_issue | ||
| .. _`AWX proposal`: https://pagure.io/fedora-infrastructure/issue/11377 | ||
| .. _`Vault proposal`: https://pagure.io/fedora-infrastructure/issue/11612 | ||
| .. _`sysadmin-main FAS group`: https://accounts.fedoraproject.org/group/sysadmin-main/ | ||
| .. _`root_auth_users`: https://pagure.io/fedora-infra/ansible/blob/main/f/inventory/group_vars/copr_aws | ||
| .. _`FAS aws-copr`: https://accounts.fedoraproject.org/group/copr-sig/ | ||
| .. _`FAS gitcopr`: https://accounts.fedoraproject.org/group/copr-sig/ | ||
| .. _`FAS copr-sig`: https://accounts.fedoraproject.org/group/copr-sig/ | ||
| .. _`FAS sysadmin-copr`: https://accounts.fedoraproject.org/group/copr-sig/ | ||
| .. _`Copr repo`: https://github.com/orgs/fedora-copr/copr` | ||
| .. _`GitHub fedora-copr/copr-team`: https://github.com/orgs/fedora-copr/teams/copr-team | ||