-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes: #2706
- Loading branch information
Showing
2 changed files
with
99 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| .. _fedora_credentials: | ||
|
|
||
| Fedora Copr credentials | ||
| ======================= | ||
|
|
||
| The point of this document is to guide Fedora Copr admininstrators through the | ||
| list of credentials Fedora Copr uses, and documenting how to maintain and rotate | ||
| them. | ||
|
|
||
|
|
||
| Basic info | ||
| ---------- | ||
|
|
||
| All automation-related credentials are stored in ``ansible-private GIT``, as | ||
| documented in the `Ansible SOP`_. This repo is not visible anywhere to give you | ||
| a link. Only ``sysadmin-main`` FAS group folks have the rights to read and | ||
| modify the repository. Fedora Copr team folks can only access a subset of | ||
| stored credentials (with a subset of available playbooks) through the | ||
| ``rbac-playbook`` wrapper. | ||
|
|
||
| Since no Fedora Copr team member is member of the ``sysadmin-main`` FAS group, | ||
| we have to submit tickets `against the fedora-infra team <infra issues>`_ | ||
| whenever we need to modify the ``ansible-private`` repo. For the "creds | ||
| rotation" time, it might be better to grab a ``sysadmin-member`` on call and | ||
| batch-process all the stuff. | ||
|
|
||
| Note: There's the `AWX proposal`_ which will probably make this much more | ||
| granular and convenient, perhaps together with `Vault proposal`_. | ||
|
|
||
| On top of this, Copr Team has access to a Bitwaarden account where we store | ||
| other passwords that are not strictly related to automation (mailing list | ||
| passwords, stuff related to manual release processes, etc.). Ask | ||
| ``[email protected]`` if you believe you need something from there. | ||
|
|
||
|
|
||
| General secret variables | ||
| ------------------------ | ||
|
|
||
| The variables are defined in ``/srv/private/ansible/vars.yml`` (private git | ||
| checkout on batcave). | ||
|
|
||
|
|
||
| - **IBM Cloud access** | ||
|
|
||
| The ``{{ ibmcloud_token_file }}`` file is created on ``copr-backend`` to | ||
| allow spawning VMs in IBM Cloud (by Resalloc). It is defined by **secret | ||
| variable** ``{{ copr_cloud_ibm_token }}``. | ||
|
|
||
| - **AWS Cloud access** | ||
|
|
||
| There are two **secret variables**, ``{{ copr_aws_access_key_id }}`` and | ||
| ``{{ copr_aws_secret_access_key }}`` which we use to templatize | ||
| the ``$HOME/.aws/config`` files. | ||
|
|
||
| - **OSUOSL (OpenStack) access** | ||
|
|
||
| There's ``{{ copr_openstack_osuosl_org_password }}`` used in | ||
| ``rc-osuosl.sh.j2`` template. | ||
|
|
||
| - **Copr FE/BE Token** | ||
|
|
||
| There's the `{{ copr_backend_password }}`` secret variable that is used on | ||
| several places. It is used for ``Frontend <-> Backend <-> DistGit`` | ||
| authentication. | ||
|
|
||
|
|
||
| Secret files | ||
| ------------ | ||
|
|
||
| - **SSH Key to builders** | ||
|
|
||
| There's the ``{{ private }}/files/copr/buildsys.priv`` file on Batcave. | ||
| This is the private key that we use to control our builders (running build | ||
| commands from ``Backend`` on ``Builders``). | ||
|
|
||
| **TODO:** Unfortunately, we overuse it on too many places. Both ``copr`` | ||
| and ``resalloc`` users on ``copr-backend`` use it. ``copr`` user to perform | ||
| the remote builds, ``resalloc`` to prepare VMs (remote "root" access) and to | ||
| actually start machines on hypervisors (virsh over ssh). This deserves a | ||
| split to multiple keys to simplify the rotation work. | ||
|
|
||
| **SSL Keys using letsencrypt** | ||
|
|
||
| For copr backend, we "backup" our currently issued LetsEncrypt certificates | ||
| and keys on Batcave, this is to simplify our life while migrating the | ||
| Backend role from one infrastructure machine to another (moving from | ||
| ``Fedora N`` to ``Fedora N+2`` typically. These files are not stored in | ||
| ``ansible-private.git`` though. | ||
|
|
||
| **Private key for Keygen** | ||
|
|
||
| There's the ``{{ private }}/files/copr/keygen/backup_key.asc`` file, the | ||
| main private key for Fedora Copr keygen. | ||
|
|
||
| .. _`Ansible SOP`: https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/ansible/ | ||
| .. _`infra issues`: https://pagure.io/fedora-infrastructure/new_issue | ||
| .. _`AWX proposal`: https://pagure.io/fedora-infrastructure/issue/11377 | ||
| .. _`Vault proposal`: https://pagure.io/fedora-infrastructure/issue/11612 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters