From jira at ovirt-jira.atlassian.net Thu Feb 8 13:09:38 2018 Content-Type: multipart/mixed; boundary="===============1124100056614301720==" MIME-Version: 1.0 From: Barak Korren (oVirt JIRA) To: infra at ovirt.org Subject: [JIRA] (OVIRT-1867) Allow embedded secrets inside the source repo for CI Date: Thu, 08 Feb 2018 13:09:36 +0000 Message-ID: In-Reply-To: JIRA.33417.1517308592000@Atlassian.JIRA --===============1124100056614301720== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable This is a multi-part message in MIME format... ------------=3D_1518095376-22378-218 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 7bit [ https://ovirt-jira.atlassian.net/browse/OVIRT-1867?page=3Dcom.atlass= ian.jira.plugin.system.issuetabpanels:all-tabpanel ] Barak Korren updated OVIRT-1867: -------------------------------- Labels: credentials (was: ) > Allow embedded secrets inside the source repo for CI > ---------------------------------------------------- > > Key: OVIRT-1867 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1867 > Project: oVirt - virtualization made easy > Issue Type: New Feature > Components: Standard CI (Pipelines), STDCI DSL > Reporter: Roman Mohr > Assignee: infra > Labels: credentials > > In order to improve the self-service capabilities of standard-ci it is > important for projects, that they can add their own secrets to projects (= to > reach external services, e.g. docker hub, ...). > Travis has a very nice system which helps engineers there: > https://docs.travis-ci.com/user/encryption-keys/ > Basically the CI system needs to generate a public/private key pair for > every enabled git repo. The engineer simply fetches the public key via a > well know URL and encrypts the secrets. Then the encrypted secret can be > made part of the source repo. Before the tests are run the CI system > decrypts the secrets. Than can play together pretty well with Jenkinsfiles > too. > Benefit: > * Less manual intervention from CI team to add secrets to jobs > * Strengthen the config-in-code thinking -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100079) ------------=3D_1518095376-22378-218 Content-Type: text/html; charset=3D"UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit 
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1867?page=3Dcom.atlass=
ian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Barak Korren updated OVIRT-1867:

Labels: credentials  (was: )

Allow embedded secrets inside the source repo for CI

     Key: OVIRT-1867
     URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1867
 Project: oVirt - virtualization made easy
         Issue Type: New Feature
         Components: Standard CI (Pipelines), STDCI DSL
Reporter: Roman Mohr
Assignee: infra
  Labels: credentials

In order to improve the self-service capabilities of standard-ci it is i= mportant for projects, that they can add their own secrets to projects (to = reach external services, e.g. docker hub, …). Travis has a very nice= system which helps engineers there: https://docs.travis-ci.com/user/encryption-keys/= Basically the CI system needs to generate a public/private key pair for ev= ery enabled git repo. The engineer simply fetches the public key via a well= know URL and encrypts the secrets. Then the encrypted secret can be made p= art of the source repo. Before the tests are run the CI system decrypts the= secrets. Than can play together pretty well with Jenkinsfiles too. Benefit= :

* Less manual intervention from CI team to add secrets to jobs
* Strengthen the config-in-code thinking

— This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#1000= 79)

3D"" ------------=3D_1518095376-22378-218-- --===============1124100056614301720== Content-Type: multipart/alternative MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.bin" VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4uLgoKLS0tLS0tLS0t LS0tPV8xNTE4MDk1Mzc2LTIyMzc4LTIxOApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJz ZXQ9VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKCiAgICAgWyBodHRwczov L292aXJ0LWppcmEuYXRsYXNzaWFuLm5ldC9icm93c2UvT1ZJUlQtMTg2Nz9wYWdlPWNvbS5hdGxh c3NpYW4uamlyYS5wbHVnaW4uc3lzdGVtLmlzc3VldGFicGFuZWxzOmFsbC10YWJwYW5lbCBdCgpC YXJhayBLb3JyZW4gdXBkYXRlZCBPVklSVC0xODY3OgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLQogICAgTGFiZWxzOiBjcmVkZW50aWFscyAgKHdhczogKQoKPiBBbGxvdyBlbWJlZGRl ZCBzZWNyZXRzIGluc2lkZSB0aGUgc291cmNlIHJlcG8gZm9yIENJCj4gLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo+Cj4gICAgICAgICAgICAgICAg IEtleTogT1ZJUlQtMTg2Nwo+ICAgICAgICAgICAgICAgICBVUkw6IGh0dHBzOi8vb3ZpcnQtamly YS5hdGxhc3NpYW4ubmV0L2Jyb3dzZS9PVklSVC0xODY3Cj4gICAgICAgICAgICAgUHJvamVjdDog b1ZpcnQgLSB2aXJ0dWFsaXphdGlvbiBtYWRlIGVhc3kKPiAgICAgICAgICBJc3N1ZSBUeXBlOiBO ZXcgRmVhdHVyZQo+ICAgICAgICAgIENvbXBvbmVudHM6IFN0YW5kYXJkIENJIChQaXBlbGluZXMp LCBTVERDSSBEU0wKPiAgICAgICAgICAgIFJlcG9ydGVyOiBSb21hbiBNb2hyCj4gICAgICAgICAg ICBBc3NpZ25lZTogaW5mcmEKPiAgICAgICAgICAgICAgTGFiZWxzOiBjcmVkZW50aWFscwo+Cj4g SW4gb3JkZXIgdG8gaW1wcm92ZSB0aGUgc2VsZi1zZXJ2aWNlIGNhcGFiaWxpdGllcyBvZiBzdGFu ZGFyZC1jaSBpdCBpcwo+IGltcG9ydGFudCBmb3IgcHJvamVjdHMsIHRoYXQgdGhleSBjYW4gYWRk IHRoZWlyIG93biBzZWNyZXRzIHRvIHByb2plY3RzICh0bwo+IHJlYWNoIGV4dGVybmFsIHNlcnZp Y2VzLCBlLmcuIGRvY2tlciBodWIsIC4uLikuCj4gVHJhdmlzIGhhcyBhIHZlcnkgbmljZSBzeXN0 ZW0gd2hpY2ggaGVscHMgZW5naW5lZXJzIHRoZXJlOgo+IGh0dHBzOi8vZG9jcy50cmF2aXMtY2ku Y29tL3VzZXIvZW5jcnlwdGlvbi1rZXlzLwo+IEJhc2ljYWxseSB0aGUgQ0kgc3lzdGVtIG5lZWRz IHRvIGdlbmVyYXRlIGEgcHVibGljL3ByaXZhdGUga2V5IHBhaXIgZm9yCj4gZXZlcnkgZW5hYmxl ZCBnaXQgcmVwby4gVGhlIGVuZ2luZWVyIHNpbXBseSBmZXRjaGVzIHRoZSBwdWJsaWMga2V5IHZp YSBhCj4gd2VsbCBrbm93IFVSTCBhbmQgZW5jcnlwdHMgdGhlIHNlY3JldHMuIFRoZW4gdGhlIGVu Y3J5cHRlZCBzZWNyZXQgY2FuIGJlCj4gbWFkZSBwYXJ0IG9mIHRoZSBzb3VyY2UgcmVwby4gQmVm b3JlIHRoZSB0ZXN0cyBhcmUgcnVuIHRoZSBDSSBzeXN0ZW0KPiBkZWNyeXB0cyB0aGUgc2VjcmV0 cy4gVGhhbiBjYW4gcGxheSB0b2dldGhlciBwcmV0dHkgd2VsbCB3aXRoIEplbmtpbnNmaWxlcwo+ IHRvby4KPiBCZW5lZml0Ogo+ICAqIExlc3MgbWFudWFsIGludGVydmVudGlvbiBmcm9tIENJIHRl YW0gdG8gYWRkIHNlY3JldHMgdG8gam9icwo+ICAqIFN0cmVuZ3RoZW4gdGhlIGNvbmZpZy1pbi1j b2RlIHRoaW5raW5nCgoKCi0tClRoaXMgbWVzc2FnZSB3YXMgc2VudCBieSBBdGxhc3NpYW4gSmly YQoodjEwMDEuMC4wLVNOQVBTSE9UIzEwMDA3OSkKCi0tLS0tLS0tLS0tLT1fMTUxODA5NTM3Ni0y MjM3OC0yMTgKQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9IlVURi04IgpDb250ZW50 LURpc3Bvc2l0aW9uOiBpbmxpbmUKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKPGh0 bWw+PGJvZHk+CjxwcmU+WyBodHRwczovL292aXJ0LWppcmEuYXRsYXNzaWFuLm5ldC9icm93c2Uv T1ZJUlQtMTg2Nz9wYWdlPWNvbS5hdGxhc3NpYW4uamlyYS5wbHVnaW4uc3lzdGVtLmlzc3VldGFi cGFuZWxzOmFsbC10YWJwYW5lbCBdPC9wcmU+CjxoMz5CYXJhayBLb3JyZW4gdXBkYXRlZCBPVklS VC0xODY3OjwvaDM+CjxwcmU+TGFiZWxzOiBjcmVkZW50aWFscyAgKHdhczogKTwvcHJlPgo8Ymxv Y2txdW90ZT48aDM+QWxsb3cgZW1iZWRkZWQgc2VjcmV0cyBpbnNpZGUgdGhlIHNvdXJjZSByZXBv IGZvciBDSTwvaDM+CjxwcmU+ICAgICBLZXk6IE9WSVJULTE4NjcKICAgICBVUkw6IGh0dHBzOi8v b3ZpcnQtamlyYS5hdGxhc3NpYW4ubmV0L2Jyb3dzZS9PVklSVC0xODY3CiBQcm9qZWN0OiBvVmly dCAtIHZpcnR1YWxpemF0aW9uIG1hZGUgZWFzeQogICAgICAgICBJc3N1ZSBUeXBlOiBOZXcgRmVh dHVyZQogICAgICAgICBDb21wb25lbnRzOiBTdGFuZGFyZCBDSSAoUGlwZWxpbmVzKSwgU1REQ0kg RFNMClJlcG9ydGVyOiBSb21hbiBNb2hyCkFzc2lnbmVlOiBpbmZyYQogIExhYmVsczogY3JlZGVu dGlhbHM8L3ByZT4KPHA+SW4gb3JkZXIgdG8gaW1wcm92ZSB0aGUgc2VsZi1zZXJ2aWNlIGNhcGFi aWxpdGllcyBvZiBzdGFuZGFyZC1jaSBpdCBpcyBpbXBvcnRhbnQgZm9yIHByb2plY3RzLCB0aGF0 IHRoZXkgY2FuIGFkZCB0aGVpciBvd24gc2VjcmV0cyB0byBwcm9qZWN0cyAodG8gcmVhY2ggZXh0 ZXJuYWwgc2VydmljZXMsIGUuZy4gZG9ja2VyIGh1YiwgJmhlbGxpcDspLiBUcmF2aXMgaGFzIGEg dmVyeSBuaWNlIHN5c3RlbSB3aGljaCBoZWxwcyBlbmdpbmVlcnMgdGhlcmU6IDxhIGhyZWY9Imh0 dHBzOi8vZG9jcy50cmF2aXMtY2kuY29tL3VzZXIvZW5jcnlwdGlvbi1rZXlzLyI+aHR0cHM6Ly9k b2NzLnRyYXZpcy1jaS5jb20vdXNlci9lbmNyeXB0aW9uLWtleXMvPC9hPiBCYXNpY2FsbHkgdGhl IENJIHN5c3RlbSBuZWVkcyB0byBnZW5lcmF0ZSBhIHB1YmxpYy9wcml2YXRlIGtleSBwYWlyIGZv ciBldmVyeSBlbmFibGVkIGdpdCByZXBvLiBUaGUgZW5naW5lZXIgc2ltcGx5IGZldGNoZXMgdGhl IHB1YmxpYyBrZXkgdmlhIGEgd2VsbCBrbm93IFVSTCBhbmQgZW5jcnlwdHMgdGhlIHNlY3JldHMu IFRoZW4gdGhlIGVuY3J5cHRlZCBzZWNyZXQgY2FuIGJlIG1hZGUgcGFydCBvZiB0aGUgc291cmNl IHJlcG8uIEJlZm9yZSB0aGUgdGVzdHMgYXJlIHJ1biB0aGUgQ0kgc3lzdGVtIGRlY3J5cHRzIHRo ZSBzZWNyZXRzLiBUaGFuIGNhbiBwbGF5IHRvZ2V0aGVyIHByZXR0eSB3ZWxsIHdpdGggSmVua2lu c2ZpbGVzIHRvby4gQmVuZWZpdDo8L3A+CjxwcmU+KiBMZXNzIG1hbnVhbCBpbnRlcnZlbnRpb24g ZnJvbSBDSSB0ZWFtIHRvIGFkZCBzZWNyZXRzIHRvIGpvYnMKKiBTdHJlbmd0aGVuIHRoZSBjb25m aWctaW4tY29kZSB0aGlua2luZzwvcHJlPjwvYmxvY2txdW90ZT4KPHA+Jm1kYXNoOyBUaGlzIG1l c3NhZ2Ugd2FzIHNlbnQgYnkgQXRsYXNzaWFuIEppcmEgKHYxMDAxLjAuMC1TTkFQU0hPVCMxMDAw NzkpPC9wPgoKPGltZyBzcmM9Imh0dHBzOi8vdTQwNDM0MDIuY3Quc2VuZGdyaWQubmV0L3dmL29w ZW4/dXBuPWk1VE1XR1Y5OWFtSmJOeEpwU3AyLTJCSjMzQlNNM3R1aVVmUlRrNjRLLTJCT2pHcEYt MkJ1TXpvSlJSQjFpZnpaSUVydEl4VGNjTHk1MjF6ejdPeFpWaUI1bW5wYmJ3WUpGejZmbGdldlhP elVKVkgtMkZxQnF2Y3FxcUtJcDNwNE9jeURGT3NSd3ZhTGsxcjdYOEpwTEViYll0US0yRjhzZS0y RkFvRzNOcU15Nk1FRjk2MGZNNFdDZkFySVBpcERBeFYzSTlRdER4d0laa2VOV0Q5eUFwUHNkSnJh M1Y0TlQ3aElPb1RpZjQ2aE45QTJOYS0yQklzZUhuZ1NTT3pyU1BvODdYczVkbFRPcDNRTW4xVmgy bnFJQUVoVktzZTU4dkhBdmpZYUF0OFZhN2k5MGppOTVpalFYanZuTlZFbFA4Qnh2elVwcFNBOEl2 ckh0eGxrNW9QRmV3OHJFYVhKdm9MMlJWbjZMVGJWYm5UME0tMkYwWG10Nm1rWE5kSXVMNUhUN2x2 ZXpCejZWWThZNm51N3hGc1RvSDN3SjJieUFWQmNCdUVXU1c4NlVlWTExNGdwdzV3eHZ0cTZ2YThX TVZqRENCS2VveVFkSEE3IiBhbHQ9IiIgd2lkdGg9IjEiIGhlaWdodD0iMSIgYm9yZGVyPSIwIiBz dHlsZT0iaGVpZ2h0OjFweCAhaW1wb3J0YW50O3dpZHRoOjFweCAhaW1wb3J0YW50O2JvcmRlci13 aWR0aDowICFpbXBvcnRhbnQ7bWFyZ2luLXRvcDowICFpbXBvcnRhbnQ7bWFyZ2luLWJvdHRvbTow ICFpbXBvcnRhbnQ7bWFyZ2luLXJpZ2h0OjAgIWltcG9ydGFudDttYXJnaW4tbGVmdDowICFpbXBv cnRhbnQ7cGFkZGluZy10b3A6MCAhaW1wb3J0YW50O3BhZGRpbmctYm90dG9tOjAgIWltcG9ydGFu dDtwYWRkaW5nLXJpZ2h0OjAgIWltcG9ydGFudDtwYWRkaW5nLWxlZnQ6MCAhaW1wb3J0YW50OyIv Pgo8L2JvZHk+PC9odG1sPgoKLS0tLS0tLS0tLS0tPV8xNTE4MDk1Mzc2LTIyMzc4LTIxOC0tCg== --===============1124100056614301720==--