-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #173 from stakater/secrets-update
Secrets update
- Loading branch information
Showing
1 changed file
with
38 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,19 +2,19 @@ | |
|
|
||
| The following secrets are needed for running a fully functional pipeline using pipeline-as-code. Some of the secrets are auto-distributed in the build namespaces of all tenants. Organization level secrets will be deployed through the infra repository. Repository and application level secrets will be deployed through GitOps repository. | ||
|
|
||
| ## Auto Generated Secrets | ||
| ## SAAP Managed Secrets | ||
|
|
||
| 1. `sonar-creds` | ||
| * _Purpose_: Used by `sonarqube-scan` pipeline task | ||
| * _Owner_: SAAP admins | ||
| * _Type_: Login credentials for SonarQube | ||
| * _Used for_: For running SonarQube scan in pipeline | ||
| * _Purpose_: Used by `sonarqube-scan` pipeline task. | ||
| * _Owner_: SAAP admins. | ||
| * _Type_: Login credentials for SonarQube. | ||
| * _Used for_: For running SonarQube scan in pipeline. | ||
| * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. SonarQube credentials are not rotated and remain the same. | ||
| * _Comment_: The origin of this secret is the SonarQube namespace. Secret is copied over to build namespace using an MTO template and Template Group Instance. | ||
| * _Deployment Process_: The SonarQube deployed on SAAP contains a secret named `sonar-creds` in its namespace. This secret contains the username and password for SonarQube. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it the build namespaces of all tenants. The Template and TemplateGroupInstance are both named `sonar-creds`. | ||
| 1. `docker-reg-creds` | ||
| * _Purpose_: Used by buildah and the application itself to pull the image from the nexus registry | ||
| * _Owner_: SAAP admins | ||
| * _Purpose_: Used by buildah task and the application deployment to pull the image from the nexus registry. | ||
| * _Owner_: SAAP admins. | ||
| * _Type_: Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson. | ||
| * _Used for_: Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI. | ||
| * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in all its namespaces. | ||
|
|
@@ -23,8 +23,8 @@ The following secrets are needed for running a fully functional pipeline using p | |
| * _Purpose_: Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: | ||
| 1. `stakater-helm-push` task | ||
| 1. ArgoCD to fetch the helm chart | ||
| * _Owner_: SAAP Admins | ||
| * _Used for_: Pulling charts from Nexus | ||
| * _Owner_: SAAP Admins. | ||
| * _Used for_: Pulling charts from Nexus. | ||
| * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the `rh-openshift-gitops-instance` when SAAP is provisioned. | ||
| * _Deployment Process_: Nexus comes shipped with SAAP. The `nexus3` namespace contains a secret named `helm-reg-creds`. This secret contains the username and password for the helm registry. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it all namespaces of the tenants. The Template and TemplateGroupInstance are both named `helm-reg-creds`. Another TGI named `helm-reg-creds-gitops` deploys the secret in GitOps namespace so ArgoCD can fetch the charts. | ||
| 1. `rox-creds` | ||
|
|
@@ -38,45 +38,41 @@ The following secrets are needed for running a fully functional pipeline using p | |
| * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. | ||
| * _Deployment Process_: After StackRox is installed on the SAAP cluster. An api token is created and stored in the rox-creds secret in the `stakater-stackrox` namespaces. We then use a Template and a TemplateGroupInstance with the same name to distribute the secret in the build namespace of tenants. | ||
|
|
||
| ## Infrastructure GitOps Credentials | ||
| ## Customer Managed Secrets | ||
|
|
||
| 1. `infra-gitops-creds` | ||
| * _Purpose_: This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. | ||
| * _Owner_: The owner of this secret will be customer's delivery engineer | ||
| * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace | ||
| * _Used for_: Use only for the purpose of syncing your infra GitOps repository with ArgoCD | ||
| * _Format_: Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it: | ||
| ### Organization Level Secrets | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: private-repo | ||
| namespace: argocd | ||
| labels: | ||
| argocd.argoproj.io/secret-type: repository | ||
| stringData: | ||
| type: git | ||
| url: [email protected]:argoproj/my-private-repository | ||
| sshPrivateKey: | | ||
| -----BEGIN OPENSSH PRIVATE KEY----- | ||
| ... | ||
| -----END OPENSSH PRIVATE KEY----- | ||
| ``` | ||
| 1. `infra-gitops-creds` | ||
| * _Purpose_: This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. | ||
| * _Owner_: The owner of this secret will be customer's delivery engineer | ||
| * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace. | ||
| * _Used for_: Use only for the purpose of syncing your infra GitOps repository with ArgoCD | ||
| * _Format_: Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it: | ||
|
|
||
| * _Comment_: This secret needs to be deployed on the cluster directly. | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: private-repo | ||
| namespace: argocd | ||
| labels: | ||
| argocd.argoproj.io/secret-type: repository | ||
| stringData: | ||
| type: git | ||
| url: [email protected]:argoproj/my-private-repository | ||
| sshPrivateKey: | | ||
| -----BEGIN OPENSSH PRIVATE KEY----- | ||
| ... | ||
| -----END OPENSSH PRIVATE KEY----- | ||
| ``` | ||
| ## Organization Level Secrets | ||
| * _Comment_: This secret needs to be deployed on the cluster directly. | ||
| !!! note | ||
| !!! note | ||
| These secrets need to go into your Infra GitOps Repository | ||
| 1. `apps-gitops-creds` | ||
| * _Purpose_: This secret is added so ArgoC | ||
| * _Used for_: Communicating with RHACS API to scan images and deployments | ||
| * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. | ||
| * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. | ||
| * _Deployment Process_: After RD can sync the `apps-gitops-config` repository. You can either use an ssh key or a personal access token for this purpose. | ||
| * _Purpose_: This secret is added so ArgoCD can sync the `apps-gitops-config` repository. | ||
| * _Owner_: The owner of this secret will be customer's delivery engineer | ||
| * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace **through the `infra-gitops` repository** | ||
| * _Format_: Will have the same format as that of `infra-gitops-creds` secret | ||
|
|
@@ -156,7 +152,7 @@ The following secrets are needed for running a fully functional pipeline using p | |
| 1. In the Repository CR so pipeline-as-code can talk to the repository | ||
| 1. In create-environment task to get commit hashes | ||
| 1. In TronadorConfig to allow Tronador to access the application repository | ||
| * _Owner_: The owner of this secret will be customer's delivery engineer | ||
| * _Owner_: The owner of this secret will be customer's delivery engineer. | ||
| * _Location_: This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador | ||
| * _Deployment Process_: To deploy the git-pat-creds, follow the below-mentioned steps: | ||
| 1. Navigate to your `infra-gitops-config` repository | ||
|
|
@@ -206,7 +202,7 @@ The following secrets are needed for running a fully functional pipeline using p | |
|
|
||
| 1. If you have correctly configured your infra repository, ArgoCD should be able to sync the changes and deploy the secret in build namespaces of the tenants | ||
|
|
||
| ## Repository Level Secrets | ||
| ### Repository Level Secrets | ||
|
|
||
| 1. `[app-name]-ssh-creds` | ||
| * _Purpose_: Used by these Tekton tasks: | ||
|
|
||