Skip to content

open-infrastructure-labs/moc-cnv-sandbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

245 Commits
callback_plugins
callback_plugins
 
 
docs
docs
 
 
group_vars
group_vars
 
 
manifests
manifests
 
 
meeting-notes
meeting-notes
 
 
roles
roles
 
 
scripts
scripts
 
 
test_plugins
test_plugins
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
.gitmodules
.gitmodules
 
 
.vault_pgp_keys
.vault_pgp_keys
 
 
.vault_secret
.vault_secret
 
 
.yamllint.yml
.yamllint.yml
 
 
README.md
README.md
 
 
ansible.cfg
ansible.cfg
 
 
hosts.yml
hosts.yml
 
 
playbook-bmh.yml
playbook-bmh.yml
 
 
playbook-mailinglist.yml
playbook-mailinglist.yml
 
 
playbook-ocs.yml
playbook-ocs.yml
 
 
playbook-postinstall.yml
playbook-postinstall.yml
 
 
playbook-preinstall.yml
playbook-preinstall.yml
 
 
playbook-ssh-keys.yml
playbook-ssh-keys.yml
 
 
requirements.txt
requirements.txt
 
 
requirements.yml
requirements.yml
 
 
test-requirements.txt
test-requirements.txt
 
 

Repository files navigation

MOC CNV Sandbox

Configuration and documentation for the CNV Sandbox at the Mass Open Cloud (MOC).

Playbooks

  • playbook-preinstall.yml

    Set up provisioning host and generate the install configuration.

  • playbook-postinstall.yml

    Fetches authentication credentials from the provisioning host and then uses the OpenShift API to perform post-configuration tasks (installing certificates, configuring SSO, installing CNV, etc).

Encryption

Files with credentials and other secrets are encrypted using ansible-vault. The vault key itself is included in the repository and is encrypted using GPG to the identities listed in the [.vault_pgp_keys][] file.

Adding a new PGP key

  1. Add the key fingerprint to .vault_pgp_keys.

    We use key fingerprints rather than email addresses to ensure that we are using the correct key (you may have multiple keys with the same email address in your keychain).

  2. Run the scripts/rekey-vault-secret.sh script. This will decrypt the vault secret and then re-encrypt it to all the identities in the list.

Updating the vault secret

If you want to replace the vault secret (e.g., you think the unencrypted secret has been compromised):

  1. Run the scripts/rekey-vault-files.sh script. This will generate a new random key, use ansible-vault to rekey all vaulted files with the new key, and then encrypt the key to the identities in .vault_pgp_keys.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

6 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages