sirajyasin
commented
3 years ago I can work on this issue if no one has started yet. Can someone assign this issue to me ?
Closed jgu17 closed 2 years ago
sirajyasin
commented
3 years ago I can work on this issue if no one has started yet. Can someone assign this issue to me ?
sreejithpunnapuzha
commented
3 years ago All yours @sirajyasin
mattmceuen
commented
3 years ago Thanks @sirajyasin ! A couple thoughts on how to approach it:
make this line conditional, based on an input/override to AIAP: https://github.com/airshipit/airshipctl/blob/master/tools/airship-in-a-pod/runner/assets/entrypoint.sh#L77 This^ is because we still want to regenerate/show secrets in our gates, but when we're testing an integration that uses real-life credentials in the manifests, we want to neither regenerate nor show!
provide the decryption key to AIAP via a kind: Secret. The base kustomization could define the contents of this to include the mozilla key, and there could be a placeholder and/or documentation on how to kustomize a real key on top of it
add documentation on how to use a custom key to the AIAP README
(probably outside the scope of this issue, & should be a follow-on) it would be great to leverage #2 to mount in azure key vault-hosted keys, perhaps using this feature: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver
sirajyasin
commented
2 years ago This Issue can be marked completed/Closed. Both the related PSs are merged now.
eak13
commented
2 years ago closing per merge
Problem description (if applicable)
AIAP can only deploy using the Mozilla SOPS gpg key for testing purpose.
Proposed change Add support in AIAP to use a production gpg key for secret encryption and decryption.
Potential impacts Potential security or performance related impacts.