moving base64 key for ci-reports to vault
Introduction
This MR follows the baseline implementation of vault, which can be seen in the issue nunet-infra#217
As of now, the only secret which is being migrated is the base64 encoded ssh key for uploading html reports to the ci webserver, hosted in the hetzner dev server
This MR also exemplifies how one would retrieve secrets from vault from the gitlab ci pipeline.
Implementation
The secret was registered at vault.nunet.io in the kv engine installed at nunet
namespace under key devops/ssh-keys/ci-reports
(which can be verified in the line of code !94 (diffs)). That key holds hostname, base64-key and username values. However as of now only base64-key is being actively utilized.
Feedback
As of now, the devops role in vault doesn't have the necessary permissions for a practical maintenance of the secrets. It still misses list permissions for the devops subpath in the kv store as well as delete permissions for registered keys, which is necessary to maintain secrets long term without relying on the security team. These feedbacks were already forwarded to @umair-nunet
All in all, the integration and baseline vault implementation works correctly.
Once this MR is merged we can see how vault supports the gitlab ci in practice, when DMS starts pulling this secret actively with each pipeline. We don't expect hiccups or downtimes to occur, but that is what we are going to validate once this is merged.
If all goes well, we move to a second phase which is to elect and move more secrets from gitlab variables to vault, using the correct corresponding namespaces in vault kv store.
Related issues
Closes nunet-infra#217