Adding a New Secret to CI
Jobs execute as
Pods; those that need access to sensitive information will have access to it through mounted Kubernetes
Secrets. Secret data is managed self-service by the owners
of the data.
Add A New Secret
In order to add a new secret to our system, you will first need to create a secret collection. Secret collections are managed at selfservice.vault.ci.openshift.org. Just head there, log in, create a new one and ideally also add your teammates as members. Important: Secret collection names are globally unique in our system.
InfoUsers must have logged in to the DPTP Vault system at least once before they are listed as potential members.
The secrets themselves are managed in our Vault instance at vault.ci.openshift.org.
You need to use the OIDC auth to log in there. After logging in, click on
selfservice and you should see your secret collection.
To create a new secret, simply click
Create secret and put your data into it. To actually use it, it needs to be propagated
into the build clusters. For this, two special keys in the Vault secret itself exist:
As an advanced feature, it is also possible to limit the clusters to which the secret should be synced. This is not needed in most cases and will result in failures if used for secrets that are used by jobs. This also works by using a special key in vault:
Use A Secret In A Job Step
The most common case is to use secrets in a step of a job. In this case, we
require the user to mirror secrets to
test-credentials namespace. The pod which runs the step can access the secrets
credentials stanza of the step definition. See the documentation
Use A Secret In Non-Step jobs
WarningThis section is used only for the jobs that had existed before Test Step Registry was introduced and have not yet been converted to multistage tests with steps. It is strongly suggested to use steps for any new jobs.
For non-step jobs, we have to use
ci as the targeting namespace in the secret mirroring configuration.
- For a job which is generated from
ci-operatorconfiguration and does not use steps, we can mount the secrets via
secretsstanza in the
- For a job which does not even use
ci-operatorat all, i.e. handcrafted jobs, the following example shows how to use secrets in a job definition. As stated there, creating handcrafted jobs is discouraged.