Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wip: new(config): integrate pigeon. #1483

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+47 −0
Open

wip: new(config): integrate pigeon. #1483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions config/jobs/update-secrets/update-secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
postsubmits:
falcosecurity/test-infra:
- name: update-secrets-post-submit
branches:
- ^master$
decorate: true
max_concurrency: 1
run_if_changed: '^config/secrets.yaml$'
spec:
containers:
- image: ghcr.io/falcosecurity/pigeon:v0.3.0
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need 3 env variables to be defined to connect to our 1password store: https://github.com/falcosecurity/pigeon/blob/main/pkg/pigeon/secrets_onepassword.go#L35

//   - `OP_CONNECT_TOKEN`: the API token to be used to authenticate the client
//     to your 1Password Connect instance.
//   - `OP_CONNECT_HOST`: the hostname of your 1Password Connect instance.
//   - `OP_VAULT`: a vault UUID from which retrieving the secrets.

command:
- pigeon
args:
- --conf=config/secrets.yaml
- --gh-token=/etc/github/oauth
- --verbose
volumeMounts:
- name: github
mountPath: /etc/github
readOnly: true
volumes:
- name: github
secret:
secretName: oauth-token
nodeSelector:
Archtype: "x86"
20 changes: 20 additions & 0 deletions config/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
orgs:
falcosecurity:
actions:
secrets:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the org-wide secrets being used at the moment.

- DOCKERHUB_SECRET
- DOCKERHUB_USER
repos:
falco:
actions:
secrets:
- GPG_KEY
libs:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the repo-specific secrets being used atm.

actions:
secrets:
Copy link
Contributor Author

@FedeDP FedeDP May 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of these secrets are NOT present in our 1-password store. We should:

  • move FEDEDP_GIST_SECRET to POIANA_GIST_SECRET
  • add all of them

- FEDEDP_GIST_SECRET
- PPC64LE_HOST
- PPC64LE_KEY
- PPC64LE_PORT
- PPC64LE_USERNAME

Loading