Page MenuHomePhabricator
Create Task
Maniphest T256138

Create ssh keypair for integration/docroot deployment with scap
Closed, ResolvedPublic
Actions

Description

As part of T256005, I need a new ssh key pair to be generated and stored in Puppet. It will be loaded in keyholder on the deployment server and let scap reach the target machines.

The generated files should be saved as:

modules/secret/secrets/keyholder/deploy_ci_docroot
modules/secret/secrets/keyholder/deploy_ci_docroot.pub

For reference, the related puppet code to add scap is https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/607056/

Related Objects
Search...

Event Timeline

hashar created this task.Jun 23 2020, 3:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 23 2020, 3:32 PM
hashar added a parent task: T256005: Move integration/docroot.git deployment to scap.Jun 23 2020, 3:32 PM
ema claimed this task.Jun 24 2020, 9:01 AM
ema triaged this task as Medium priority.
ema added a comment.Jun 25 2020, 11:49 AM

Key generated and added to the private puppet repo under modules/secret/secrets/keyholder.

ema removed ema as the assignee of this task.Jun 25 2020, 11:50 AM
hashar closed this task as Resolved.Jun 29 2020, 3:10 PM
hashar assigned this task to ema.

This was a single use task. The rest will be done as part of deploying the scap configuration on the deployment servers which is parent task T256005

Thank you @ema!

hashar added a subscriber: jcrespo.Jul 7 2020, 3:05 PM

@ema the ssh key is described with ema@ariel which show up when running keyholder status. After the key got armed, I was looking for deploy_ci_docroot, or at least something more or less describing the purpose of the key. That has lead to a bit of confusion for @jcrespo and I ;)

jcrespo added a comment.Jul 7 2020, 3:08 PM

@ema please sync with me, I am guessing we could regenerate the key with a better identifier, if that is the issue. Other keys use the path /etc/keyholder.d/apache2modsec and that way it is easier to identify armed keys by keyholder. I will also try to document better the issues I encountered when deploying a new repo.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL