[
https://ovirt-jira.atlassian.net/browse/OVIRT-1867?page=com.atlassian.jir...
]
Roman Mohr commented on OVIRT-1867:
-----------------------------------
In my opinion, having the secrets encrypted in the code is better, since you don't
need accounts for engineers on CI to do that. A public rsa key can be made accessible for
the whole world. With other words, the issue is exactly about the self-service and not
about how to bind existing secrets. It is also related to OVIRT-1868. In combination with
a Jenkinsfile, pretty much the whole yaml/script/chroot can be made obsolete, however that
is a different story.
Allow embedded secrets inside the source repo for CI
----------------------------------------------------
Key: OVIRT-1867
URL:
https://ovirt-jira.atlassian.net/browse/OVIRT-1867
Project: oVirt - virtualization made easy
Issue Type: By-EMAIL
Components: Standard CI (Pipelines), STDCI DSL
Reporter: Roman Mohr
Assignee: infra
In order to improve the self-service capabilities of standard-ci it is
important for projects, that they can add their own secrets to projects (to
reach external services, e.g. docker hub, ...).
Travis has a very nice system which helps engineers there:
https://docs.travis-ci.com/user/encryption-keys/
Basically the CI system needs to generate a public/private key pair for
every enabled git repo. The engineer simply fetches the public key via a
well know URL and encrypts the secrets. Then the encrypted secret can be
made part of the source repo. Before the tests are run the CI system
decrypts the secrets. Than can play together pretty well with Jenkinsfiles
too.
Benefit:
* Less manual intervention from CI team to add secrets to jobs
* Strengthen the config-in-code thinking
--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100077)