feature list

[Jean-Baptiste-Lasselle]

• auth with same process than drone ci : authenticate give access OAuth application on github

• many authentication method allowed, but in all cases :

  • whatever id provider (gitlab github, ...) you used too sign up, an identity is created in keycloak (take the keycloak from apicuria microcks bundle), and the client ID client Secret from github (or gtilab etc..) is kept in hashicorp vault directly (no other database)

• now :

  • you create a gmail and github account for your bot
  • once authenticated to bourne-bot, with , you can create a bot
  • then, for every bot, you can add an identity of a given type :
    • for github, you have to provide a personal access token, with enough permissions, to query all required features in Github API v4 . You can also provide client ID client Secret, SSH Keys, GPG keys, all secrets you keep for the bot. There is also a button that triggers the request for OAuth access to github as OAuth Applications (see in users settings on GH)
    • same for gitlab (API SSH Keys / GPG Keys, personal access token, clientID, clientSecret, ...)
    • also keybase.io
    • also automatically the secrethub ROOT TOKEN is generated for the bot, with no default organization
  • all secrets are owned by repos, which are owned by secrethub users : users are part of organizations, organizations own the secrets. So :
    • one real organization, may own many github, gtilab, secrethub organizations, for just one real project.
    • one org in bourne-bot != one secrethub org
    • one org in bourne-bot may own several projects
    • one project in bourne-bot may own several github, gtilab, secrethub organizations
    • one bot in bourne-bot belong to only one bourne bot project
    • users belong to organizations,
    • One Team belong to one organization
    • One Team has members among users : notion of team owner, maintainer, simple member.
    • One Team can partner or own a project : Partner is like all contributors, and owner is like Official Core Team, Maintainer will be not owner, but delegated all admin, but can still kick you out to keep control.
    • One Team can partner a project owned by another Team from the same, or another organization
    • One Team that creates a project automatically owns the project.
    • All managed permissions are about bot management operations (secret rotation there ? audit, read/write access to secret, permission on CRUD operations on secrethub organization, using a given bot, that is you could give access to your secrets to other people ).

• For each secret :

  • bourne-bot gives features to manage the secret ok
  • but it would be even better, if for each secret, bourne-bot gave you the recipe to use the secret with secrethub :
    • in circle ci
    • in travis ci
    • in an application (nodejs, java, golang etc...)

• I know : bourne bot should create one secrethub account to impersonate the big-bot (the boss), and create many other user accounts, one for each service that will consume (that, for the audit to allow bourne bot to identify which sericce did what sing which IP Address...). I can do silent signup thanks to all the Secret Hub CLI command-line options see https://secrethub.io/docs/reference/cli/signup/.

• with that bourne bot impersonating the bot, I create all the repositories, and subdirectories (--mkdirs) so for example pok-us-io/pokus-api is a repo in the pok-us-io org

• for circle ci : I create a user account, named circleci_${YOURBOTNAME} I keep its root token in hashicorp vault,

• I then, with the first secret hub user, the big bot, invite the circleci_${YOURBOTNAME} secrethub user, in the pok-us-io org. The, can give read only permissions tokens for example...

• and there, one bot can still create and manage many secrethub organizations and many secret hub users, so still possible in bourne bot, to have one real org, owing many secrethub organizations.

• Why this idea : if circle ci and travis ci, use different secret Hub Users, bourne bot will see it using :

secrethub audit pok-us-io/api/staging/docker/quay/botusername --output-format="json" > myaudit.json
while read line; do echo $line | jq; done < myaudit.json

• all in all : I want to know for every bourne bot, what are the services doing with the secrets, sericvce accounts do not allow identifying those services

[Jean-Baptiste-Lasselle]

• actually : to create a new bot, register with keycloak process, exactly like microcksalows to give the initail email address, always required by almost all providers for signup
• add for each bot, a real hubot app, running as a standalone service (autodeployed, has a new traefik ingress route, no new CNAME entry, just Prefixes with like https://robots.bournebot.io/robot2 https://robots.bournebot.io/robot1 . Also add a webhook endpoint, so that every bot can receive webhooks form any one at https://robots.bournebot.io/robot2/webhooks
• from there, bots can do many things and are software : they are Infra structure as code.