Sharing `secrets.yml` for ofn-install

Tech Provisioning & Deployment
10

VERY relevant for this discussion https://github.com/nonprofit. I believe we meet all the requirements so then, as soon as we get the unlimited private repositories, we get rid of a downside.

It’s time to move to action. This is one of the major blockers for the sysadmin standarization that we started back in December 2017. To move to a conclusion, and hearing the opinions shared in this thread, here is what I propose

Final proposal

First iteration

  • Apply for https://github.com/nonprofit
  • Create per-instance private repos in Openfoodfoundation’s GH organization to hold their secrets.yml. See an example in https://github.com/coopdevs/katuma_secrets
  • Create a Core Team in Github with all its members. There are people in the current groups that are no longer around and to whom I wouldn’t give access.
  • Give this team permissions to edit all secrets repos
  • Create a Bitwarden account for OFN giving access to the core team
  • Store the encryption passphrase of each instance’s secrets.yml in Bitwarden

Second iteration

  • Switch to ansible’s value-only encryption in all secrets repos
  • Create a deployers team, subset of the core team with permissions to edit all secrets repos

This last step will answer @luisramos0’s concern, already tracked in https://github.com/openfoodfoundation/ofn-install/issues/267.

Resulting processes

As a result, this is how our processes would look like

First time setup

# Replace france with any other instance name
# Let's assume this repo lives next to openfoodnetwork's repo
$ git clone git@github.com:openfoodfoundation/france_secrets.git

Provisioning

Copy the french instance’s vault password from Bitwarden’s browser extension

$ ansible-playbook playbooks/provision.yml --limit=fr-staging -e "@../france_secrets/staging.yml" --ask-vault-pass
Vault password: # Paste the vault password you just copied

-e stands for –extra-vars, Ansible’s mechanism to pass variables on the command line. @ is the way to tell it to get the vars from a file.

Sit back and relax while the provisioning takes place :tropical_drink:

Deployment

Likewise, copy the French instance’s vault password from Bitwarden’s browser extension

$ ansible-playbook playbooks/deploy.yml --limit es-staging --ask-vault-pass -e "@../france_secrets/staging.yml"
Vault password: # Paste the vault password you just copied

Enjoy! :rocket:

So please, if you think there’s something relevant worth modifying from this proposal do so in the coming days. Do you see a little improvement on top of this which wouldn’t change the proposal much? let’s iterate and include them one by one but let’s get the ball rolling!.

Once we agree on the steps I’ll start creating the necessary issues in ofn-install.

1 Like