Page MenuHomePhabricator

Create ssh keypair for integration/docroot deployment with scap
Closed, ResolvedPublic

Description

As part of T256005, I need a new ssh key pair to be generated and stored in Puppet. It will be loaded in keyholder on the deployment server and let scap reach the target machines.

The generated files should be saved as:

modules/secret/secrets/keyholder/deploy_ci_docroot
modules/secret/secrets/keyholder/deploy_ci_docroot.pub

For reference, the related puppet code to add scap is https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/607056/

Event Timeline

ema triaged this task as Medium priority.

Key generated and added to the private puppet repo under modules/secret/secrets/keyholder.

ema removed ema as the assignee of this task.Jun 25 2020, 11:50 AM
hashar assigned this task to ema.

This was a single use task. The rest will be done as part of deploying the scap configuration on the deployment servers which is parent task T256005

Thank you @ema!

@ema the ssh key is described with ema@ariel which show up when running keyholder status. After the key got armed, I was looking for deploy_ci_docroot, or at least something more or less describing the purpose of the key. That has lead to a bit of confusion for @jcrespo and I ;)

@ema please sync with me, I am guessing we could regenerate the key with a better identifier, if that is the issue. Other keys use the path /etc/keyholder.d/apache2modsec and that way it is easier to identify armed keys by keyholder. I will also try to document better the issues I encountered when deploying a new repo.