auth with same process than drone ci : authenticate give access OAuth application on github
many authentication method allowed, but in all cases :
whatever id provider (gitlab github, ...) you used too sign up, an identity is created in keycloak (take the keycloak from apicuria microcks bundle), and the client ID client Secret from github (or gtilab etc..) is kept in hashicorp vault directly (no other database)
now :
you create a gmail and github account for your bot
once authenticated to bourne-bot, with , you can create a bot
then, for every bot, you can add an identity of a given type :
for github, you have to provide a personal access token, with enough permissions, to query all required features in Github API v4 . You can also provide client ID client Secret, SSH Keys, GPG keys, all secrets you keep for the bot. There is also a button that triggers the request for OAuth access to github as OAuth Applications (see in users settings on GH)
same for gitlab (API SSH Keys / GPG Keys, personal access token, clientID, clientSecret, ...)
also keybase.io
also automatically the secrethub ROOT TOKEN is generated for the bot, with no default organization
all secrets are owned by repos, which are owned by secrethub users : users are part of organizations, organizations own the secrets. So :
one real organization, may own many github, gtilab, secrethub organizations, for just one real project.
one org in bourne-bot != one secrethub org
one org in bourne-bot may own several projects
one project in bourne-bot may own several github, gtilab, secrethub organizations
one bot in bourne-bot belong to only one bourne bot project
users belong to organizations,
One Team belong to one organization
One Team has members among users : notion of team owner, maintainer, simple member.
One Team can partner or own a project : Partner is like all contributors, and owner is like Official Core Team, Maintainer will be not owner, but delegated all admin, but can still kick you out to keep control.
One Team can partner a project owned by another Team from the same, or another organization
One Team that creates a project automatically owns the project.
All managed permissions are about bot management operations (secret rotation there ? audit, read/write access to secret, permission on CRUD operations on secrethub organization, using a given bot, that is you could give access to your secrets to other people ).
For each secret :
bourne-bot gives features to manage the secret ok
but it would be even better, if for each secret, bourne-bot gave you the recipe to use the secret with secrethub :
in circle ci
in travis ci
in an application (nodejs, java, golang etc...)
I know : bourne bot should create one secrethub account to impersonate the big-bot (the boss), and create many other user accounts, one for each service that will consume (that, for the audit to allow bourne bot to identify which sericce did what sing which IP Address...). I can do silent signup thanks to all the Secret Hub CLI command-line options see https://secrethub.io/docs/reference/cli/signup/.
with that bourne bot impersonating the bot, I create all the repositories, and subdirectories (--mkdirs) so for example pok-us-io/pokus-api is a repo in the pok-us-io org
for circle ci : I create a user account, named circleci_${YOURBOTNAME} I keep its root token in hashicorp vault,
I then, with the first secret hub user, the big bot, invite the circleci_${YOURBOTNAME} secrethub user, in the pok-us-io org. The, can give read only permissions tokens for example...
and there, one bot can still create and manage many secrethub organizations and many secret hub users, so still possible in bourne bot, to have one real org, owing many secrethub organizations.
Why this idea : if circle ci and travis ci, use different secret Hub Users, bourne bot will see it using :
secrethub audit pok-us-io/api/staging/docker/quay/botusername --output-format="json" > myaudit.json
while read line; do echo $line | jq; done < myaudit.json
all in all : I want to know for every bourne bot, what are the services doing with the secrets, sericvce accounts do not allow identifying those services
actually : to create a new bot, register with keycloak process, exactly like microcksalows to give the initail email address, always required by almost all providers for signup
auth with same process than drone ci : authenticate give access OAuth application on github
many authentication method allowed, but in all cases :
now :
org
For each secret :
I know : bourne bot should create one secrethub account to impersonate the big-bot (the boss), and create many other user accounts, one for each service that will consume (that, for the audit to allow bourne bot to identify which sericce did what sing which IP Address...). I can do silent signup thanks to all the Secret Hub CLI command-line options see https://secrethub.io/docs/reference/cli/signup/.
with that bourne bot impersonating the bot, I create all the repositories, and subdirectories (
--mkdirs
) so for examplepok-us-io/pokus-api
is a repo in thepok-us-io
orgfor circle ci : I create a user account, named
circleci_${YOURBOTNAME}
I keep its root token in hashicorp vault,I then, with the first secret hub user, the big bot, invite the
circleci_${YOURBOTNAME}
secrethub user, in thepok-us-io
org. The, can give read only permissions tokens for example...and there, one bot can still create and manage many secrethub organizations and many secret hub users, so still possible in bourne bot, to have one real org, owing many secrethub organizations.
Why this idea : if circle ci and travis ci, use different secret Hub Users, bourne bot will see it using :