search

falcosecurity / evolution

Evolution process of The Falco Project
Apache License 2.0
48 stars 37 forks source link

Donate fededp/Pigeon to falcosecurity #251

Closed FedeDP closed 1 year ago

FedeDP commented 1 year ago

Repository:

https://github.com/FedeDP/Pigeon

Motivation

In test-infra, peribolos is not capable of setting secrets and variables for github actions. We (me, @jasondellaluce and @cappellinsamuele) developed a small golang tool to helps us with that. Basically, it takes a yaml conf, much similar to the org.yaml one used by test-infra. Idea is to let this new tool be used inside test-infra to setup per-org/repo github actions variables and secrets (where secrets are stored on 1password and thus not written in configuration file).

Example configuration:

orgs:
  foo:
    actions:
      variables:
        orgVar1: "orgValue1"
      secrets:
        - orgSecret0
    repos:
      bar:
        actions:
          variables:
            repoVar1: "repoValue1"
            repoVar2: "repoValue2"
          secrets:
            - repoSecret0

Notable: as part of the effort, a PR on go-github (google github's API go client library) was created and successfully merged, to expose new gha variables API: https://github.com/google/go-github/pull/2652

jasondellaluce commented 1 year ago

My vote is not relevant as I'm part of the proposing contributors. I want to highlight that the importance of this project is that it allow us to control the secrets and env variables used across all our org's CI, in a single location, and as code. As such, every secret movement will be public, transparent, and reproducible. Will potentially grow to support other pieces of configuration too, which will be great in our current effort of moving many of our jobs to GitHub Actions.

An additional open point is understanding if this project will be a standalone repository or if it will be included in the test-infra repo as a sub-project. Will let other maintainers debate on this.

Shout out to @cappellinsamuele for contributing in developing this!

Fun backstory on the name: pigeon is inspired to messenger pigeons, with the analogy that this tool will be in charge of delivering secrets and pieces of configuration from Poiana all around the org to the right places. Please appreciate all the bird-related jokes that are taking off in the Falco project.

cc @falcosecurity/core-maintainers

cappellinsamuele commented 1 year ago

Thank you @jasondellaluce and @FedeDP!

incertum commented 1 year ago

... where secrets are stored on 1password and thus not written in configuration file

Secrets leakage -> root of most evil, thanks so much for investing into secrets management, warms my :heart:!

... highlight that the importance of this project is that it allow us to control the secrets and env variables used across all our org's CI, in a single location, and as code

This is great, let's ensure we have proper and more strict access controls in place.

An additional open point is understanding if this project will be a standalone repository or if it will be included in the test-infra repo as a sub-project. Will let other maintainers debate on this.

w/ above's comment in mind voting to keep it segregated from test-infra.

Will potentially grow to support other pieces of configuration too, which will be great in our current effort of moving many of our jobs to GitHub Actions.

Awesome!

vote: +1

maxgio92 commented 1 year ago

This is lovely <3 @FedeDP @jasondellaluce @cappellinsamuele Thank you, great job.

This was exactly the piece we missed in the declarative administration of the Github organization: transparent, less error prone, agile.

vote: +1

As a side note I'd keep the project separated, leaving Open Infra a user of Pigeon :-) That would be in the direction of keeping the test-infra project as lighter as possible.

leogr commented 1 year ago

Lovely name :heart_eyes:

Big +1 from me!

Andreagit97 commented 1 year ago

Amazing! :partying_face: vote: +1

cpanato commented 1 year ago

+1 cool

jasondellaluce commented 1 year ago

Opened PRs on test-infra and evolution! Once we get those going, we can close this.

https://github.com/falcosecurity/test-infra/pull/1010 https://github.com/falcosecurity/evolution/pull/253

FedeDP commented 1 year ago

Yay! /close

poiana commented 1 year ago

@FedeDP: Closing this issue.

In response to [this](https://github.com/falcosecurity/evolution/issues/251#issuecomment-1441470968): >Yay! >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.