Automatic GitLab access token rotation for Woodhouse
Woodhouse is currently using Personal Access Tokens from the ops-gitlab-net
user querying and updating issues it various projects, and for mirror pipeline notifications. Those tokens eventually expires and need to be renewed manually, which is not ideal and will be forgotten and will lead to Woodhouse breaking periodically.
Solution: we want to switch to using Project Access Tokens, provisioned and automatically rotated by infra-mgmt
.
Scope:
-
Identify which projects Woodhouse queries and updates issues in -
Import Woodhouse and its mirror into infra-mgmt
-
Provisioned a Project Access Token that has access to the above projects, stored in Vault under a path accessible by its Kubernetes deployment -
Update its Kubernetes deployment to use the new token -
Delete the old Personal Access Token -
Update the documentation:
Edited by Pierre Guinoiseau