VERY relevant for this discussion https://github.com/nonprofit. I believe we meet all the requirements so then, as soon as we get the unlimited private repositories, we get rid of a downside.
It’s time to move to action. This is one of the major blockers for the sysadmin standarization that we started back in December 2017. To move to a conclusion, and hearing the opinions shared in this thread, here is what I propose
Final proposal
First iteration
- Apply for https://github.com/nonprofit
- Create per-instance private repos in Openfoodfoundation’s GH organization to hold their
secrets.yml
. See an example in https://github.com/coopdevs/katuma_secrets - Create a Core Team in Github with all its members. There are people in the current groups that are no longer around and to whom I wouldn’t give access.
- Give this team permissions to edit all secrets repos
- Create a Bitwarden account for OFN giving access to the core team
- Store the encryption passphrase of each instance’s
secrets.yml
in Bitwarden
Second iteration
- Switch to ansible’s value-only encryption in all secrets repos
- Create a deployers team, subset of the core team with permissions to edit all secrets repos
This last step will answer @luisramos0’s concern, already tracked in https://github.com/openfoodfoundation/ofn-install/issues/267.
Resulting processes
As a result, this is how our processes would look like
First time setup
# Replace france with any other instance name
# Let's assume this repo lives next to openfoodnetwork's repo
$ git clone git@github.com:openfoodfoundation/france_secrets.git
Provisioning
Copy the french instance’s vault password from Bitwarden’s browser extension
$ ansible-playbook playbooks/provision.yml --limit=fr-staging -e "@../france_secrets/staging.yml" --ask-vault-pass
Vault password: # Paste the vault password you just copied
-e
stands for –extra-vars, Ansible’s mechanism to pass variables on the command line. @
is the way to tell it to get the vars from a file.
Sit back and relax while the provisioning takes place
Deployment
Likewise, copy the French instance’s vault password from Bitwarden’s browser extension
$ ansible-playbook playbooks/deploy.yml --limit es-staging --ask-vault-pass -e "@../france_secrets/staging.yml"
Vault password: # Paste the vault password you just copied
Enjoy!
So please, if you think there’s something relevant worth modifying from this proposal do so in the coming days. Do you see a little improvement on top of this which wouldn’t change the proposal much? let’s iterate and include them one by one but let’s get the ball rolling!.
Once we agree on the steps I’ll start creating the necessary issues in ofn-install.