Skip to content

Generate Workhorse and Rails secrets

Jon Doveston requested to merge add-rails-and-workhorse-secret-generation into main

What does this MR do?

Add an early stage in the application config workflow to generate four Secrets.

  • Rails key bases (a set of 4 128 char hex strings)
  • Workhorse secret (a single 32 char string)
  • OpenID connect signing key (ssh private RSA 2048 bit key)
  • CI JWT signing key (ssh private RSA 2048 bit key)

These Secrets all have fixed names (prefixed by the release) and are created only if they do not already exist. The appropriate generator annotations are added but they are not configured to expire. They are generated by inline generator code, not by a separate secret generator process.

The secrets are then added to the dereference list, which will fail if any are missing. It is not impossible that there might be a failure due to inconsistency in the Kube API updates. It is expected if this happens the next reconcile will succeed.

This dereferenced secrets list is passed to the template environment so future templates can render the secrets in the gitlab.yaml or rails.yaml templates.

Author's Checklist

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Ensure a release milestone is set.
  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • MR has a green pipeline on GitLab.com.
  • When ready for review, MR is labeled workflowready for review per the MR workflow.

Expected

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation is created or updated.
  • Tests are added.

Related issues

Part of #21

Edited by Jon Doveston

Merge request reports