From jira at ovirt-jira.atlassian.net Tue Jan 30 10:36:34 2018
Content-Type: multipart/mixed; boundary="===============6750440940074222586=="
MIME-Version: 1.0
From: Roman Mohr (oVirt JIRA) <jira at ovirt-jira.atlassian.net>
To: infra at ovirt.org
Subject: [JIRA] (OVIRT-1867) Allow embedded secrets inside the source repo for
 CI
Date: Tue, 30 Jan 2018 10:36:33 +0000
Message-ID: <JIRA.33417.1517308592000.0c5d4059-eef2-437d-882c-b7835614c7c7.1517308592424@Atlassian.JIRA>
In-Reply-To: JIRA.33417.1517308592000@Atlassian.JIRA

--===============6750440940074222586==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

This is a multi-part message in MIME format...

------------=3D_1517308592-17438-377
Content-Type: text/plain; charset=3DUTF-8
Content-Transfer-Encoding: 7bit

Roman Mohr created OVIRT-1867:
---------------------------------

             Summary: Allow embedded secrets inside the source repo for CI
                 Key: OVIRT-1867
                 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1867
             Project: oVirt - virtualization made easy
          Issue Type: By-EMAIL
            Reporter: Roman Mohr
            Assignee: infra


In order to improve the self-service capabilities of standard-ci it is
important for projects, that they can add their own secrets to projects (to
reach external services, e.g. docker hub, ...).

Travis has a very nice system which helps engineers there:
https://docs.travis-ci.com/user/encryption-keys/

Basically the CI system needs to generate a public/private key pair for
every enabled git repo. The engineer simply fetches the public key via a
well know URL and encrypts the secrets. Then the encrypted secret can be
made part of the source repo. Before the tests are run the CI system
decrypts the secrets. Than can play together pretty well with Jenkinsfiles
too.


Benefit:
 * Less manual intervention from CI team to add secrets to jobs
 * Strengthen the config-in-code thinking



--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100077)

------------=3D_1517308592-17438-377
Content-Type: text/html; charset=3D"UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

<html><body>
<h3>Roman Mohr created OVIRT-1867:</h3>
<pre>   Summary: Allow embedded secrets inside the source repo for CI
       Key: OVIRT-1867
       URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1867
   Project: oVirt - virtualization made easy
Issue Type: By-EMAIL
  Reporter: Roman Mohr
  Assignee: infra</pre>
<p>In order to improve the self-service capabilities of standard-ci it is i=
mportant for projects, that they can add their own secrets to projects (to =
reach external services, e.g. docker hub, &hellip;).</p>
<p>Travis has a very nice system which helps engineers there: <a href=3D"ht=
tps://docs.travis-ci.com/user/encryption-keys/">https://docs.travis-ci.com/=
user/encryption-keys/</a></p>
<p>Basically the CI system needs to generate a public/private key pair for =
every enabled git repo. The engineer simply fetches the public key via a we=
ll know URL and encrypts the secrets. Then the encrypted secret can be made=
 part of the source repo. Before the tests are run the CI system decrypts t=
he secrets. Than can play together pretty well with Jenkinsfiles too.</p>
<p>Benefit:</p>
<pre>* Less manual intervention from CI team to add secrets to jobs
* Strengthen the config-in-code thinking</pre>
<p>&mdash; This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#1000=
77)</p>

<img src=3D"https://u4043402.ct.sendgrid.net/wf/open?upn=3Di5TMWGV99amJbNxJ=
pSp2-2BJ33BSM3tuiUfRTk64K-2BOjFGpbLfKchRDAcgH2YY74RHA1NHhulgEMzT-2FXN20boxP=
UsUXpO9mYGBKhiPb4RZ-2B-2F67HWdXwaXoLD-2FadcIF1OlTu9f8XlZlj3-2Bfg9-2Bs1eBQsG=
a0xj8Sm1l9qIIyqD6ZVUBzm0sS6uaL9HlPblNZizBz26-2B6KHUhspwibZURxPJoLjCiv1u3HYb=
imTAxpGhps3dur5buMxeH6dHD8F6H0JgHOdJJvMLAluzI4b3L27YtGHvuJ2qjNSukFZO-2F8vGb=
OG-2FdoLi1dpv-2FSYiljwDBTgBQb70bsXVggxdQlZGxL-2FWUJJYhPvqvlHK2nsrON3Ep9nOqA=
51SA5PDQARHF0Wx-2FKhwCcPCw8Xi-2BW7R5GoZ7bmUkBR-2Fwv7TEWx-2FkiMI5OxXyofatNXv=
1RmjRzkgx4ErHjlT" alt=3D"" width=3D"1" height=3D"1" border=3D"0" style=3D"h=
eight:1px !important;width:1px !important;border-width:0 !important;margin-=
top:0 !important;margin-bottom:0 !important;margin-right:0 !important;margi=
n-left:0 !important;padding-top:0 !important;padding-bottom:0 !important;pa=
dding-right:0 !important;padding-left:0 !important;"/>
</body></html>

------------=3D_1517308592-17438-377--

--===============6750440940074222586==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"

VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4uLgoKLS0tLS0tLS0t
LS0tPV8xNTE3MzA4NTkyLTE3NDM4LTM3NwpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJz
ZXQ9VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKUm9tYW4gTW9ociBjcmVh
dGVkIE9WSVJULTE4Njc6Ci0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoKICAgICAg
ICAgICAgIFN1bW1hcnk6IEFsbG93IGVtYmVkZGVkIHNlY3JldHMgaW5zaWRlIHRoZSBzb3VyY2Ug
cmVwbyBmb3IgQ0kKICAgICAgICAgICAgICAgICBLZXk6IE9WSVJULTE4NjcKICAgICAgICAgICAg
ICAgICBVUkw6IGh0dHBzOi8vb3ZpcnQtamlyYS5hdGxhc3NpYW4ubmV0L2Jyb3dzZS9PVklSVC0x
ODY3CiAgICAgICAgICAgICBQcm9qZWN0OiBvVmlydCAtIHZpcnR1YWxpemF0aW9uIG1hZGUgZWFz
eQogICAgICAgICAgSXNzdWUgVHlwZTogQnktRU1BSUwKICAgICAgICAgICAgUmVwb3J0ZXI6IFJv
bWFuIE1vaHIKICAgICAgICAgICAgQXNzaWduZWU6IGluZnJhCgoKSW4gb3JkZXIgdG8gaW1wcm92
ZSB0aGUgc2VsZi1zZXJ2aWNlIGNhcGFiaWxpdGllcyBvZiBzdGFuZGFyZC1jaSBpdCBpcwppbXBv
cnRhbnQgZm9yIHByb2plY3RzLCB0aGF0IHRoZXkgY2FuIGFkZCB0aGVpciBvd24gc2VjcmV0cyB0
byBwcm9qZWN0cyAodG8KcmVhY2ggZXh0ZXJuYWwgc2VydmljZXMsIGUuZy4gZG9ja2VyIGh1Yiwg
Li4uKS4KClRyYXZpcyBoYXMgYSB2ZXJ5IG5pY2Ugc3lzdGVtIHdoaWNoIGhlbHBzIGVuZ2luZWVy
cyB0aGVyZToKaHR0cHM6Ly9kb2NzLnRyYXZpcy1jaS5jb20vdXNlci9lbmNyeXB0aW9uLWtleXMv
CgpCYXNpY2FsbHkgdGhlIENJIHN5c3RlbSBuZWVkcyB0byBnZW5lcmF0ZSBhIHB1YmxpYy9wcml2
YXRlIGtleSBwYWlyIGZvcgpldmVyeSBlbmFibGVkIGdpdCByZXBvLiBUaGUgZW5naW5lZXIgc2lt
cGx5IGZldGNoZXMgdGhlIHB1YmxpYyBrZXkgdmlhIGEKd2VsbCBrbm93IFVSTCBhbmQgZW5jcnlw
dHMgdGhlIHNlY3JldHMuIFRoZW4gdGhlIGVuY3J5cHRlZCBzZWNyZXQgY2FuIGJlCm1hZGUgcGFy
dCBvZiB0aGUgc291cmNlIHJlcG8uIEJlZm9yZSB0aGUgdGVzdHMgYXJlIHJ1biB0aGUgQ0kgc3lz
dGVtCmRlY3J5cHRzIHRoZSBzZWNyZXRzLiBUaGFuIGNhbiBwbGF5IHRvZ2V0aGVyIHByZXR0eSB3
ZWxsIHdpdGggSmVua2luc2ZpbGVzCnRvby4KCgpCZW5lZml0OgogKiBMZXNzIG1hbnVhbCBpbnRl
cnZlbnRpb24gZnJvbSBDSSB0ZWFtIHRvIGFkZCBzZWNyZXRzIHRvIGpvYnMKICogU3RyZW5ndGhl
biB0aGUgY29uZmlnLWluLWNvZGUgdGhpbmtpbmcKCgoKLS0KVGhpcyBtZXNzYWdlIHdhcyBzZW50
IGJ5IEF0bGFzc2lhbiBKaXJhCih2MTAwMS4wLjAtU05BUFNIT1QjMTAwMDc3KQoKLS0tLS0tLS0t
LS0tPV8xNTE3MzA4NTkyLTE3NDM4LTM3NwpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNl
dD0iVVRGLTgiCkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQpDb250ZW50LVRyYW5zZmVyLUVu
Y29kaW5nOiA3Yml0Cgo8aHRtbD48Ym9keT4KPGgzPlJvbWFuIE1vaHIgY3JlYXRlZCBPVklSVC0x
ODY3OjwvaDM+CjxwcmU+ICAgU3VtbWFyeTogQWxsb3cgZW1iZWRkZWQgc2VjcmV0cyBpbnNpZGUg
dGhlIHNvdXJjZSByZXBvIGZvciBDSQogICAgICAgS2V5OiBPVklSVC0xODY3CiAgICAgICBVUkw6
IGh0dHBzOi8vb3ZpcnQtamlyYS5hdGxhc3NpYW4ubmV0L2Jyb3dzZS9PVklSVC0xODY3CiAgIFBy
b2plY3Q6IG9WaXJ0IC0gdmlydHVhbGl6YXRpb24gbWFkZSBlYXN5Cklzc3VlIFR5cGU6IEJ5LUVN
QUlMCiAgUmVwb3J0ZXI6IFJvbWFuIE1vaHIKICBBc3NpZ25lZTogaW5mcmE8L3ByZT4KPHA+SW4g
b3JkZXIgdG8gaW1wcm92ZSB0aGUgc2VsZi1zZXJ2aWNlIGNhcGFiaWxpdGllcyBvZiBzdGFuZGFy
ZC1jaSBpdCBpcyBpbXBvcnRhbnQgZm9yIHByb2plY3RzLCB0aGF0IHRoZXkgY2FuIGFkZCB0aGVp
ciBvd24gc2VjcmV0cyB0byBwcm9qZWN0cyAodG8gcmVhY2ggZXh0ZXJuYWwgc2VydmljZXMsIGUu
Zy4gZG9ja2VyIGh1YiwgJmhlbGxpcDspLjwvcD4KPHA+VHJhdmlzIGhhcyBhIHZlcnkgbmljZSBz
eXN0ZW0gd2hpY2ggaGVscHMgZW5naW5lZXJzIHRoZXJlOiA8YSBocmVmPSJodHRwczovL2RvY3Mu
dHJhdmlzLWNpLmNvbS91c2VyL2VuY3J5cHRpb24ta2V5cy8iPmh0dHBzOi8vZG9jcy50cmF2aXMt
Y2kuY29tL3VzZXIvZW5jcnlwdGlvbi1rZXlzLzwvYT48L3A+CjxwPkJhc2ljYWxseSB0aGUgQ0kg
c3lzdGVtIG5lZWRzIHRvIGdlbmVyYXRlIGEgcHVibGljL3ByaXZhdGUga2V5IHBhaXIgZm9yIGV2
ZXJ5IGVuYWJsZWQgZ2l0IHJlcG8uIFRoZSBlbmdpbmVlciBzaW1wbHkgZmV0Y2hlcyB0aGUgcHVi
bGljIGtleSB2aWEgYSB3ZWxsIGtub3cgVVJMIGFuZCBlbmNyeXB0cyB0aGUgc2VjcmV0cy4gVGhl
biB0aGUgZW5jcnlwdGVkIHNlY3JldCBjYW4gYmUgbWFkZSBwYXJ0IG9mIHRoZSBzb3VyY2UgcmVw
by4gQmVmb3JlIHRoZSB0ZXN0cyBhcmUgcnVuIHRoZSBDSSBzeXN0ZW0gZGVjcnlwdHMgdGhlIHNl
Y3JldHMuIFRoYW4gY2FuIHBsYXkgdG9nZXRoZXIgcHJldHR5IHdlbGwgd2l0aCBKZW5raW5zZmls
ZXMgdG9vLjwvcD4KPHA+QmVuZWZpdDo8L3A+CjxwcmU+KiBMZXNzIG1hbnVhbCBpbnRlcnZlbnRp
b24gZnJvbSBDSSB0ZWFtIHRvIGFkZCBzZWNyZXRzIHRvIGpvYnMKKiBTdHJlbmd0aGVuIHRoZSBj
b25maWctaW4tY29kZSB0aGlua2luZzwvcHJlPgo8cD4mbWRhc2g7IFRoaXMgbWVzc2FnZSB3YXMg
c2VudCBieSBBdGxhc3NpYW4gSmlyYSAodjEwMDEuMC4wLVNOQVBTSE9UIzEwMDA3Nyk8L3A+Cgo8
aW1nIHNyYz0iaHR0cHM6Ly91NDA0MzQwMi5jdC5zZW5kZ3JpZC5uZXQvd2Yvb3Blbj91cG49aTVU
TVdHVjk5YW1KYk54SnBTcDItMkJKMzNCU00zdHVpVWZSVGs2NEstMkJPakZHcGJMZktjaFJEQWNn
SDJZWTc0UkhBMU5IaHVsZ0VNelQtMkZYTjIwYm94UFVzVVhwTzltWUdCS2hpUGI0UlotMkItMkY2
N0hXZFh3YVhvTEQtMkZhZGNJRjFPbFR1OWY4WGxabGozLTJCZmc5LTJCczFlQlFzR2EweGo4U20x
bDlxSUl5cUQ2WlZVQnptMHNTNnVhTDlIbFBibE5aaXpCejI2LTJCNktIVWhzcHdpYlpVUnhQSm9M
akNpdjF1M0hZYmltVEF4cEdocHMzZHVyNWJ1TXhlSDZkSEQ4RjZIMEpnSE9kSkp2TUxBbHV6STRi
M0wyN1l0R0h2dUoycWpOU3VrRlpPLTJGOHZHYk9HLTJGZG9MaTFkcHYtMkZTWWlsandEQlRnQlFi
NzBic1hWZ2d4ZFFsWkd4TC0yRldVSkpZaFB2cXZsSEsybnNyT04zRXA5bk9xQTUxU0E1UERRQVJI
RjBXeC0yRktod0NjUEN3OFhpLTJCVzdSNUdvWjdibVVrQlItMkZ3djdURVd4LTJGa2lNSTVPeFh5
b2ZhdE5YdjFSbWpSemtneDRFckhqbFQiIGFsdD0iIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIiBib3Jk
ZXI9IjAiIHN0eWxlPSJoZWlnaHQ6MXB4ICFpbXBvcnRhbnQ7d2lkdGg6MXB4ICFpbXBvcnRhbnQ7
Ym9yZGVyLXdpZHRoOjAgIWltcG9ydGFudDttYXJnaW4tdG9wOjAgIWltcG9ydGFudDttYXJnaW4t
Ym90dG9tOjAgIWltcG9ydGFudDttYXJnaW4tcmlnaHQ6MCAhaW1wb3J0YW50O21hcmdpbi1sZWZ0
OjAgIWltcG9ydGFudDtwYWRkaW5nLXRvcDowICFpbXBvcnRhbnQ7cGFkZGluZy1ib3R0b206MCAh
aW1wb3J0YW50O3BhZGRpbmctcmlnaHQ6MCAhaW1wb3J0YW50O3BhZGRpbmctbGVmdDowICFpbXBv
cnRhbnQ7Ii8+CjwvYm9keT48L2h0bWw+CgotLS0tLS0tLS0tLS09XzE1MTczMDg1OTItMTc0Mzgt
Mzc3LS0K

--===============6750440940074222586==--