Skip to content

Rotate CI passwords (antelope) #2239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
priteau merged 3 commits into from
Mar 30, 2026
Merged

Rotate CI passwords (antelope) #2239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e825245
Rotate CI passwords
Alex-Welsh Mar 30, 2026
d47c8b1
Merge branch 'stackhpc/2023.1' into pw-rotation-antelope
Alex-Welsh Mar 30, 2026
5c5019b
(automated) Bump kayobe to stackhpc/14.7.0.24
stackhpc-ci Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions etc/kayobe/environments/ci-aio/stackhpc-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ kolla_enable_heat: false
# Build and deploy the development Pulp service repositories.
# Use Ark's package repositories to install packages.
stackhpc_repo_mirror_url: "{{ stackhpc_release_pulp_url }}"
stackhpc_repo_mirror_username: "skc-ci-aio"
stackhpc_repo_mirror_username: "skc-ci-aio-antelope"
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve maintainability and avoid hardcoding the release name, consider using the openstack_release_codename variable to construct this username. This will make it easier to update for future OpenStack releases. Ensure that the resulting username remains dedicated to this environment to maintain isolation as per security guidelines.

stackhpc_repo_mirror_username: "skc-ci-aio-{{ openstack_release_codename }}"
References
  1. Use dedicated credentials and users for distinct environments to improve security and isolation, rather than sharing them.

stackhpc_repo_mirror_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35653866346637626633653732386263666231303237656135626532343437353631383732666362
3038636431336336343561626130383965303233353632350a323130653166646464316361643138
61303139643865613063613765623530636665663534613263343562383037396236333762653338
6262333936616630620a343831666162386537373838393938333537373839633630393930333430
30353263323831666237346162326564326238343764643731383931396536353933
32623737376465356539313839373063326562323066346463643731353830383530353931326436
3662383737386664373461396430366337366330323039370a393564326438373233343930656534
31643161333635623431323431633536643063643833373862383536643036636265653931306663
6336626461376231630a643437626234383630623738646630393066653466663336393539316435
62663239373332383935623166346564643539643862343565613332633861396361

# Build against released Pulp repository versions.
stackhpc_repo_grafana_version: "{{ stackhpc_pulp_repo_grafana_version }}"
Expand Down
12 changes: 6 additions & 6 deletions etc/kayobe/environments/ci-builder/stackhpc-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,14 @@ kolla_build_neutron_ovs: true
# Build against the development Pulp service repositories.
# Use Ark's package repositories to install packages.
stackhpc_repo_mirror_url: "{{ stackhpc_repo_mirror_auth_proxy_url if stackhpc_repo_mirror_auth_proxy_enabled | bool else stackhpc_release_pulp_url }}"
stackhpc_repo_mirror_username: "skc-ci-builder-reader"
stackhpc_repo_mirror_username: "skc-ci-builder-reader-antelope"
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve maintainability and avoid hardcoding the release name, consider using the openstack_release_codename variable to construct this username. This will make it easier to update for future OpenStack releases. Ensure that the resulting username remains dedicated to this environment to maintain isolation as per security guidelines.

stackhpc_repo_mirror_username: "skc-ci-builder-reader-{{ openstack_release_codename }}"
References
  1. Use dedicated credentials and users for distinct environments to improve security and isolation, rather than sharing them.

stackhpc_repo_mirror_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
65353432616332643332646463303562326534633935343338323562343062323936393861636637
6364653733343035623138316561316462313939393430300a666436633535323163386338336266
64346461653933613838643163333932353365613535373038663731666230663632646531343662
6362346163613633390a663264626438333263386132326238623866633466373635666161326462
61346130346339643433656562363366623561356162386138616430356463613633
31323137656135646165393064313761626339313138356464316334343235343665323836653336
3263613766313332306562656332346561363536313230340a333935646163666539353338613436
33626163333633646461666631643062383761376332396231326361636432316661363161323862
3339653936386435330a346233353062653931663965663938323665633136616132336232323533
64626161373938343437323133366264313332373930363565333964646334333132

# Build against released Pulp repository versions.
stackhpc_repo_grafana_version: "{{ stackhpc_pulp_repo_grafana_version }}"
Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/14.7.0.23
kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/14.7.0.24
ansible-modules-hashivault>=5.2.1
jmespath
Loading