How to store secrets - Githubissues

snabblab / snabblab-nixos

NixOS configuration for the Snabb Lab

59 stars 17 forks source link

How to store secrets #25

Open domenkozar opened 8 years ago

domenkozar commented 8 years ago

With Hydra and snabb bot we have to store secrets besides the deployment. We don't want them to be exposed, so maybe we should consider encrypting them into git.

https://github.com/StackExchange/blackbox

lukego commented 8 years ago

Questions:

What secrets do we have?
Where do they need to be used?
How hard are they to replace?

If our only secret is a Github API token, and it is only used by Snabb Bot, and we can revoke it and issue a new one at any time, then I don't think Blackbox helps us. However, we might want to either setup a minimal secure environment for running Snabb Bot or make sure the secrets are not dangerous.

I am not sure what secrets Hydra uses...?

Could be that running both Hydra and NixOps on the same server is problematic i.e. giving the whole community root access to the CI machine. Could consider separating those somehow.

domenkozar commented 8 years ago

What secrets do we have? Where do they need to be used?

Currently we have two for Hydra. One to sign built packages and one SSH key pair for Hydra to access build slaves. These keys are now present on eiger and my machine.

In very soon future we'll need GitHub API token for Snabb Bot as you've said. If that's read-only token we can expose it to public as it's public access anyway.

I would limit access to eiger to only those working with infrastructure, to avoid any disasters. https://github.com/snabblab/snabblab-nixos/issues/19 would get rid of NixOps dependency and reduce human error at deployments (I'd really like that as it will improve our QA).

domenkozar commented 8 years ago

We could just use nixops to copy them on bootstrap: http://permalink.gmane.org/gmane.linux.distributions.nixos/20368

domenkozar commented 8 years ago

We'll need this very very soon now that davos is running NixOS. cc @eugeneia

eugeneia commented 8 years ago

Current solution is to store GitHub credentials for SnabbBot on eiger. For now I am satisfied with that. My proposed solution is to have a private repository that is a fork of snabblab-nixos which has a long lived branch that adds the secrets.

domenkozar commented 8 years ago

I'd do that + encrypting the files and sharing the key only through private conversations.

eugeneia commented 8 years ago

Encrypting anything seems overkill to me. Just have the secrets in a private repo, give access only to people who have to touch eiger. E.g. repo acess would be the key.