Add encrypted CRC_PULL_SECRET by majamassarini · Pull Request #648 · packit/deployment


 Not all services use all of them. For example `copr` is needed only by `packit` service.
+
+## Encrypting Secrets for OpenShift Tests in Testing Farm


if this is needed only for running from forks, I would mention it explicitly in the title, and also add a note in the beginning that if you have the access and create branches in the repo itself, this process is not needed

If you don't run the test from a fork, someone still has to go through this procedure and encrypt the CRC pull secret against the main packit repo. So I think the title is ok. I should probably make it clearer in the description below. I will try to rephrase it.

docs/deployment/secrets.md

lbarcziova · 2025-03-11T09:22:49Z

playbooks/oc-cluster-run.yml

+    - name: Look for pull_secret (splitted in small parts due to testing farm encryption)
+      ansible.builtin.set_fact:
+        pull_secret_part_1: "{{ lookup('env', 'CRC_PULL_SECRET_PART_1') }}"
+        pull_secret_part_2: "{{ lookup('env', 'CRC_PULL_SECRET_PART_2') }}"
+        pull_secret_part_3: "{{ lookup('env', 'CRC_PULL_SECRET_PART_3') }}"
+        pull_secret_part_4: "{{ lookup('env', 'CRC_PULL_SECRET_PART_4') }}"
+        pull_secret_part_5: "{{ lookup('env', 'CRC_PULL_SECRET_PART_5') }}"
+        pull_secret_part_6: "{{ lookup('env', 'CRC_PULL_SECRET_PART_6') }}"
+        pull_secret_part_7: "{{ lookup('env', 'CRC_PULL_SECRET_PART_7') }}"
+      when: pull_secret == ""
+
+    - name: Rebuild pull_secret from its parts
+      ansible.builtin.set_fact:
+        pull_secret: "{{ pull_secret_part_1 }}{{ pull_secret_part_2 }}{{ pull_secret_part_3 }}{{ pull_secret_part_4 }}{{ pull_secret_part_5 }}{{ pull_secret_part_6 }}{{ pull_secret_part_7 }}"
+      when: pull_secret == "" and pull_secret_part_1 != ""


could this be simplified using a list, like pull_secret_parts?

I am not sure I follow, you mean simplify with a loop? I am not sure I can dynamically create variable names in ansible. I would not know hot to do that.

If you mean, instead, recreate the secret outside of ansible, it can be done, but since I have some checks here I preferred to do it here.

I meant the first way. But I don't know the details on how to do this with ansible, so I am ok with leaving as it is.

I think I have an idea for this…

softwarefactory-project-zuul · 2025-03-11T14:08:24Z

Build succeeded.
https://softwarefactory-project.io/zuul/t/packit-service/buildset/012e6f02d4cc48ccbb0abe292e8842f9

✔️ pre-commit SUCCESS in 1m 30s

softwarefactory-project-zuul · 2025-03-11T14:16:35Z

Build succeeded.
https://softwarefactory-project.io/zuul/t/packit-service/buildset/43c7dd3851194fa8b78176abf46fd649

✔️ pre-commit SUCCESS in 1m 29s

lbarcziova

🙏

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 0abb1c6 to 6b95f96 Compare March 5, 2025 10:28

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 6b95f96 to 7d0aff7 Compare March 5, 2025 10:41

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 7d0aff7 to c7467d1 Compare March 5, 2025 10:44

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from c7467d1 to 40ee5f3 Compare March 5, 2025 11:12

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 400934a to 2eb1e75 Compare March 5, 2025 12:38

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 2eb1e75 to fd1b5cf Compare March 5, 2025 13:07

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from fd1b5cf to 0349c77 Compare March 5, 2025 13:11

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 0349c77 to bd7a86e Compare March 5, 2025 13:21

majamassarini force-pushed the openshift-tests-with-tf-secrets branch 2 times, most recently from 84e22e3 to cb40675 Compare March 5, 2025 13:30

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from cb40675 to d47e43b Compare March 5, 2025 13:54

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from d47e43b to afa686c Compare March 5, 2025 14:53

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from afa686c to 861cb75 Compare March 5, 2025 14:55

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 861cb75 to 83532f6 Compare March 6, 2025 08:39

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 83532f6 to 6a8a424 Compare March 6, 2025 14:31

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 638a056 to e960d56 Compare March 7, 2025 14:14

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 784452a to 67a55c3 Compare March 10, 2025 08:51

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 67a55c3 to 7f081d0 Compare March 10, 2025 08:57

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 7f081d0 to f159fc7 Compare March 10, 2025 09:05

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from f159fc7 to 53efadb Compare March 10, 2025 09:10

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 01e3426 to 065af09 Compare March 10, 2025 09:36

majamassarini added 2 commits March 10, 2025 11:38

Add encrypted CRC_PULL_SECRET

0a3bda1

Use packit for triggering OpenShift test

b2d2ef6

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from 065af09 to c2a2a8b Compare March 10, 2025 10:39

Document how to create encrypted secret for OpenShift tests

26c94df

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from c2a2a8b to ebd8a85 Compare March 10, 2025 10:55

lbarcziova reviewed Mar 11, 2025

View reviewed changes

Add comments for mapping an encoded secret

f5f03bd

majamassarini force-pushed the openshift-tests-with-tf-secrets branch from c7d5777 to f5f03bd Compare March 11, 2025 14:14

lbarcziova approved these changes Mar 11, 2025

View reviewed changes

majamassarini added the mergeit Merge via Zuul label Mar 11, 2025

majamassarini marked this pull request as ready for review March 12, 2025 08:22

majamassarini merged commit 0c2fdf7 into packit:main Mar 12, 2025
4 checks passed


		Not all services use all of them. For example `copr` is needed only by `packit` service.

		## Encrypting Secrets for OpenShift Tests in Testing Farm

Conversation

majamassarini commented Mar 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 5, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 6, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 7, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 7, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

softwarefactory-project-zuul bot commented Mar 10, 2025

Uh oh!

lbarcziova left a comment

Choose a reason for hiding this comment

Uh oh!

lbarcziova Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

majamassarini Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

lbarcziova Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

majamassarini Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

majamassarini Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

lbarcziova Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

mfocko Mar 11, 2025

Choose a reason for hiding this comment

Uh oh!

softwarefactory-project-zuul bot commented Mar 11, 2025

majamassarini commented Mar 5, 2025 •

edited

Loading