Page MenuHomePhabricator
Create Task
Maniphest T262552

[Beta Cluster] How can secrets be stored for use in a docker_services service configuration?
Closed, ResolvedPublic
Actions

Description

The push-notifications service needs to authenticate to MediaWiki in order to make API requests to delete invalid push subscriptions. A user account (PushSubscriptionManager2) has been created on Beta Metawiki for use by the service. We need to update the push-notifications service configuration on deployment-push-notifications01 to provide the credentials for this user:

profile::docker::runner::service_defs:
  mediawiki-services-push-notifications:
    config:
      services:
      - name: push-notifications
        conf:
          [...]
          mw_subscription_manager_username: PushSubscriptionManager2
          mw_subscription_manager_password: <password>

The trouble is that instance Hiera configurations are committed to a public Git repo. Is there a way to provide this password to the service configuration in Cloud VPS that doesn't expose it publicly?

Related Objects
Search...

Event Timeline

Mholloway created this task.Sep 10 2020, 3:21 PM
Mholloway edited projects, added Product-Infrastructure-Team-Backlog-Deprecated; removed Product-Infrastructure-Team-Backlog-Deprecated (Kanban).
Mholloway added a project: serviceops.Sep 14 2020, 7:58 PM
Mholloway added subscribers: jijiki, akosiaris.

Ping @jijiki and @akosiaris for advice on this.

bd808 subscribed.Sep 14 2020, 8:16 PM

The only place to store "secrets" is on the deployment-prep Puppetmaster instance in the form of local commits to the labs/private.git repo which is cloned at /var/lib/git/labs/private on deployment-puppetmaster04.deployment-prep.eqiad.wmflabs. Some Puppet roles are written such that hiera data drawn from a public key and a private key are merged at manifest compilation to deliver secrets to the instance. ::profile::docker::runner does not currently appear to follow this pattern.

akosiaris added a comment.Sep 15 2020, 8:05 AM

@Mholloway, I am not particularly familiar with Beta, but as far as I know there aren't any stored secrets. I think that we 'd need to modify the puppet role to allow for this, per @bd808 's suggestion.

Mholloway closed this task as Resolved.Sep 15 2020, 10:38 PM
Mholloway claimed this task.

Thanks @bd808 and @akosiaris. I added the value I needed to the labs/private.git repo on deployment-puppetmaster04, and was able to reference it from the profile::docker::runner::service_defs setting in the instance hiera config for deployment-push-notifications01 as follows:

profile::docker::runner::service_defs:
  mediawiki-services-push-notifications:
    config:
      services:
      - name: push-notifications
        conf:
          [...]
          mw_subscription_manager_username: PushSubscriptionManager2
          mw_subscription_manager_password: '%{lookup("push_subscription_manager_password")}'
Mholloway mentioned this in T262957: Set up secrets for Token clean-up.Sep 16 2020, 6:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL