[rdo-dev] Regenerate secrets required by zuul jobs

Alfredo Moralejo Alonso amoralej at redhat.com
Thu Jul 19 16:19:08 UTC 2018


On Thu, Jul 19, 2018 at 5:35 PM, Paul Belanger <pabelanger at redhat.com>
wrote:

> On Thu, Jul 19, 2018 at 09:21:11AM +0200, Haïkel Guémar wrote:
> > On 18/07/18 22:24, Paul Belanger wrote:
> > > Greetings,
> > >
> > > With recent Jenkins security advisory today, I realized we just
> imported the
> > > current secrets from jenkins into zuulv3.  I'd like to propose, just
> to be extra
> > > safe, we preform a re-key of everything that uses secrets.
> > >
> > > I'm not sure if this has every been done with jenkins, but we should
> also
> > > consider some policy to re-key everything ever x months too.
> > >
> > > Thoughts?
> > > _______________________________________________
> > > dev mailing list
> > > dev at lists.rdoproject.org
> > > http://lists.rdoproject.org/mailman/listinfo/dev
> > >
> > > To unsubscribe: dev-unsubscribe at lists.rdoproject.org
> > >
> >
> > The current CBS credentials for RDO have never been into Jenkins.
> >
> Thanks, the SSH key for images.r.o is also safe, we've rotated that. What
> about
> about things needed for weirdo and other secrets?  Who would know more
> about
> them.
>

I can help on that. That secret is an api token that can only be used to
trigger builds of some specific jobs in ci.centos.org.



>
> - Paul
> _______________________________________________
> dev mailing list
> dev at lists.rdoproject.org
> http://lists.rdoproject.org/mailman/listinfo/dev
>
> To unsubscribe: dev-unsubscribe at lists.rdoproject.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20180719/8815d755/attachment.html>


More information about the dev mailing list