Rotate Secrets
Our infrastructure depends on various Secrets that needs rotation. This service needs to be done usually once per year in order for a smooth translation.
Gitlab subscption for VELOREN group
We have a Gitlab Open Source Subscription for veloren. This usually rotates yearly at 20xx-06-30. A owner of the gitlab group has to fill out the form accordingly 3 weeks in advance so that they renew it. TODO: add values to be added in the request here.
(in case someone from Gitlab reads this, thank you for your support!)
Gitlab PAT veloren-bot
The following tasks are done via our gitlab user veloren-bot.
Access is handled via xMAC94x (@xmac94x).
Its our only source of PAT accorss the veloren infrastructure.
Tokens should be set to rotate once a year.
Labbot
Our Labbot requires a PAT to approve MRs and comment.
Create fine-grained token via User Settings -> Access -> Personal access tokens, named: LABBOT_PAT and description: used for approval service.
Select Only specific groups I am member of: veloren (group).
| Area | Element | Permission | Why |
|---|---|---|---|
Project Planing | Work Item | Create, Update | Allows POST /projects/:id/merge_requests/:merge_request_iid/notes, used when labbot comments on MRs |
Project Planing | Work Item | Read | in case we want to check for already existing comments in the future |
Repository | Merge Request | Approve | Allows POST /projects/:id/merge_requests/:merge_request_iid/approve, used by /approve |
Repository | Merge Request | Merge | in case we want to allow this in the future |
Repository | Merge Request | Read | Only if projects are private or reads are authenticated later |
Inject this token via the infrastructure repo, in the file:
sops ops/labbot/prob/svalues.yaml
Create a new PR and merge to master.
Airshipper
Our Airshipper requires a PAT to integrate the gitlab webhooks with schedules.
Create fine-grained token via User Settings -> Access -> Personal access tokens, named: AIRSHIPPER_PAT and description: used for schedule data fetch.
Select Only specific groups I am member of: veloren/veloren (project).
| Area | Element | Permission | Why |
|---|---|---|---|
CI/CD | Pipeline Schedule | Read | Allows GET /projects/:id/pipeline_schedules and GET /projects/:id/pipeline_schedules/:pipeline_schedule_id, used by Airshipper to read schedule variables such as SCHEDULE_CADENCE |
CI/CD | Job Artifact | Read | Only needed if artifact downloads must be authenticated in the future; allows GET /projects/:id/jobs/:job_id/artifacts |
Inject this token via the infrastructure repo, in the file:
sops ops/airshipper/prob/svalues.yaml
Create a new PR and merge to master.
CI Integration
This token is used to push tags in our CI, e.g. by schedules on veloren or infrastructure repos.
Create legacy token via User Settings -> Access -> Personal access tokens, named: VELOREN_GITLAB_TOKEN_WRITE and description: allows our CI to push tags.
Give the permissions for WRITE REPOSITORY.
Put that token in the veloren/veloren CI Variable named: GITLAB_TOKEN_WRITE. It should be masked, protected, and expand variable reference.
FAQ:
How do I detect tokens need to be roated:
Typical symptoms are:
- labbot no longer can approve MRs, but still detect that MRs are closed
- Weekly release does not happen
- Its May and xMAC94x hasn't rotated them yet.