Skip to content

Rotate CI passwords (zed)#2238

Merged
priteau merged 2 commits intostackhpc/zedfrom
pw-rotation-zed
Mar 30, 2026
Merged

Rotate CI passwords (zed)#2238
priteau merged 2 commits intostackhpc/zedfrom
pw-rotation-zed

Conversation

@Alex-Welsh
Copy link
Copy Markdown
Member

@Alex-Welsh Alex-Welsh commented Mar 30, 2026

No description provided.

@Alex-Welsh Alex-Welsh requested a review from a team as a code owner March 30, 2026 10:42
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the repository mirror usernames and vaulted passwords for the ci-aio and ci-builder environments, appending a release-specific suffix. The feedback suggests using the openstack_release variable instead of hardcoding 'zed' to improve maintainability and ensure better environment isolation.

etc/kayobe/environments/ci-aio/stackhpc-ci.yml
# Use Ark's package repositories to install packages.
stackhpc_repo_mirror_url: "{{ stackhpc_release_pulp_url }}"
stackhpc_repo_mirror_username: "skc-ci-aio"
stackhpc_repo_mirror_username: "skc-ci-aio-zed"
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve maintainability and ensure environment isolation, consider using the openstack_release variable to construct the username instead of hardcoding 'zed'. This aligns with practices seen elsewhere in the configuration and supports the requirement to use dedicated credentials for distinct environments to improve security.

stackhpc_repo_mirror_username: "skc-ci-aio-{{ openstack_release }}"
References
  1. Use dedicated credentials and users for distinct environments to improve security and isolation, rather than sharing them.

etc/kayobe/environments/ci-builder/stackhpc-ci.yml
# Use Ark's package repositories to install packages.
stackhpc_repo_mirror_url: "{{ stackhpc_repo_mirror_auth_proxy_url if stackhpc_repo_mirror_auth_proxy_enabled | bool else stackhpc_release_pulp_url }}"
stackhpc_repo_mirror_username: "skc-ci-builder-reader"
stackhpc_repo_mirror_username: "skc-ci-builder-reader-zed"
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve maintainability and ensure environment isolation, consider using the openstack_release variable to construct the username instead of hardcoding 'zed'. This makes the configuration more dynamic and ensures that credentials remain dedicated to the specific environment and release, improving security and isolation.

stackhpc_repo_mirror_username: "skc-ci-builder-reader-{{ openstack_release }}"
References
  1. Use dedicated credentials and users for distinct environments to improve security and isolation, rather than sharing them.

@Alex-Welsh Alex-Welsh closed this Mar 30, 2026
@Alex-Welsh Alex-Welsh reopened this Mar 30, 2026
@priteau priteau merged commit 3477c95 into stackhpc/zed Mar 30, 2026
10 of 24 checks passed
@priteau priteau deleted the pw-rotation-zed branch March 30, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@priteau priteau priteau approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Alex-Welsh @priteau