Secrets
During deployment (make deploy
), secret files are downloaded from a vault
into one of the subdirectories and transformed into Kubernetes/Openshift secrets.
They can also be downloaded independently with make download-secrets
(only Packit team members with access to Bitwarden vault).
By default, these subdirectories contain only templates, which don't contain any secret,
but which are processes and injected with secrets during the deployment process.
If you want to see them rendered before you run the deployment,
use make render-secrets-from-templates
.
Install bw
CLI
https://bitwarden.com/help/cli/#download-and-install
Update secrets in Bitwarden
Use scripts/update_bw_secret.sh
to update secrets, and don't have to click
through the Bitwarden Web UI, deleting and uploading attachments.
Here is the workflow how to do that:
Make sure your local copy is up-to-date. For example:
$ SERVICE=packit DEPLOYMENT=stg make download-secrets
Edit the secret file you want to update, for example:
$ $EDITOR secrets/packit/stg/extra-vars.yml
Update the secret in Bitwarden. For example:
$ ./scripts/update_bw_secret.sh secrets/packit/stg/extra-vars.yml
The script figures out which Bitwarden item to edit from the path to the file,
so that needs to be provided as secrets/<service>/<deployment>/<file>
.
Nothing happens if the file did not change. The script also helps with
updating the ! Changelog !
: saves the note in a file, opens the file with
$EDITOR
to be edited, and updates the note in Bitwarden.
Update secrets in OpenShift
Use scripts/update_oc_secret.sh
to update secrets directly in OpenShift from
the command-line.
First make sure the local copies of the secrets are in sync with what's stored in Bitwarden. For example:
$ SERVICE=packit DEPLOYMENT=stg make download-secrets
Edit the file you want to update. For example:
$ $EDITOR secrets/packit/stg/packit-service.yaml.j2
Render secret files from the templates:
$ SERVICE=packit DEPLOYMENT=stg make render-secrets-from-templates
This creates
packit-service.yaml
frompackit-service.yaml.j2
(no secret values, stored in public repo) andextra-vars.yml
(secret values, downloaded from the vault).Login to OpenShift and select the right project. For example:
$ oc login ...
$ oc project packit-stgUpdate the secret in OpenShift with the content of the file. You'll need to know the name of the secret. For example:
$ scripts/update_oc_secret.sh packit-config secrets/packit/stg/packit-service.yaml
Don't forget that you'll need to re-spin the pods using the secret, so that they pick up the change.
What secret files the deployment expects
Not all services expect all of them. For example source-git services don't need copr
& private-key.pem
.
Check generate_secrets role to see some pre-filled.
copr
- Your copr credentials.extra-vars.yml
- tokens, passwords, keys, etc.fedora.keytab
- Fedora kerberos.fedora.toml
- fedora-messaging configuration. Generated fromfedora.toml.j2
andextra-vars.yml
either during deployment or manually withmake render-secrets-from-templates
.fullchain.pem
&privkey.pem
- Let's encrypt TLS certs.id_ed25519[.pub]
- SSH keys, to push to a git forge.packit-service.yaml
- The service configuration. Generated frompackit-service.yaml.j2
andextra-vars.yml
either during deployment or manually withmake render-secrets-from-templates
.private-key.pem
- Specified in a GitHub App settings. Used to sign access token requests.ssh_config
- SSH configuration to be able to run fedpkg inside the OpenShift pod.
Running a service/bot locally
Before you can try the service locally
you need to have expected secrets in secrets/{SERVICE}/dev/
. Either
- generate them with
make generate-local-secrets
or - if you're a Packit team member with access to Bitwarden vault, download
stg/
secrets (DEPLOYMENT=stg make download-secrets
) and copy intodev/
In both cases you have to do some tweaks before using them:
packit-service.yaml.j2
:deployment: dev
fas_user: your-fas-username
validate_webhooks: false
server_name: service.localhost:8443
extra-vars.yml
- would be nice to use your tokens/api keys in
packit_service.authentication
, but it's not crucial since it's for staging instances sentry.dsn
: just empty it to not send your devel bugs to Sentryfedora_messaging
: replace with a new generated (uuidgen
) one (if you'll run fedmsg)
- would be nice to use your tokens/api keys in
copr
: would be nice to use your own token if you're planning to build in Coprid_ed25519[.pub]
: replace with your ssh keys
Not all services use all of them. For example copr
is needed only by packit
service.