Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rotate Linux builder PAT for HRA2 and upgrade runner software #86

Merged
merged 1 commit into from
May 7, 2024
Merged

Rotate Linux builder PAT for HRA2 and upgrade runner software #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions .sops.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,7 @@ creation_rules:
- *dweb-reverse-proxy
- path_regex: ^secrets/linux-builder-01/[^/]+$
key_groups:
- pgp:
- *steveej
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this needed? We can always make a new token if we need to.

Don't want to have to set up GPG on my system if I can avoid it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably stating the obvious: it allows decrypting and viewing the secret with the given public key.

did you get an error at some point? if you use the sops from within nix develop the required binaries to encrypt the keys should be there. i'd prefer having the keys readable on my machine so it'd be good to have this back with the new secret as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't enter a dev shell and there's no docs to tell me how to fix that:

> nix develop
++ REPO_SECRETS_DIR=/home/thetasinner/.holochain-infra-secrets
++ mkdir -p /home/thetasinner/.holochain-infra-secrets
++ chmod 700 /home/thetasinner/.holochain-infra-secrets
++ export NOMAD_CLIENT_KEY=/home/thetasinner/.holochain-infra-secrets/global-cli-nomad-key
++ NOMAD_CLIENT_KEY=/home/thetasinner/.holochain-infra-secrets/global-cli-nomad-key
++ sops -d secrets/nomad/cli/keys.yaml
++ yq .global-cli-nomad-key
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  6F7069FE6B96E894E60EC45C6EEFA706CB17E89B: FAILED
    - | could not decrypt data key with PGP key:
      | github.com/ProtonMail/go-crypto/openpgp error: could not
      | load secring: open /home/thetasinner/.gnupg/pubring.gpg: no
      | such file or directory; GnuPG binary error: failed to
      | decrypt sops data key with pgp: gpg: encrypted with RSA key,
      | ID 44871BFCC5DF6DBB
      | gpg: decryption failed: No secret key
  
  age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx: FAILED
    - | failed to load age identities: failed to open file: open
      | /home/thetasinner/.config/sops/age/keys.txt: no such file or
      | directory
  
  age194xfar0gfdauu2dcxwqk9lh9d0vjfrzzs2ke0ppanpwv9eqxzs2qp7q7cn: FAILED
    - | failed to load age identities: failed to open file: open
      | /home/thetasinner/.config/sops/age/keys.txt: no such file or
      | directory

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
+ command rm -f /tmp/nix-shell.j9KGXu

I don't see that the Nix shell sets up GPG anyway though? I would still need to import your public key to be able encrypt with it. It's not like age where the public key is just a string. The GPG identifiers are just fingerprints so I won't be able to do anything with that.

I get that being able to decrypt is useful for debugging but we really shouldn't need to have access to these tokens beyond doing the job of transferring them GitHub to the builder. That's why I'm questioning the need to retain this?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't enter a dev shell and there's no docs to tell me how to fix that:

gotcha, that error is noisy however it won't actually prevent the shell from spawning. despite that it's not a good long-term solution anyway to have that secret decrypted to the filesystem permanently. i'll clean that up in the near-term, i created an issue for tracking that.

I don't see that the Nix shell sets up GPG anyway though? I would still need to import your public key to be able encrypt with it.

sops transparently retrieves publicly available keys automatically so it should've just worked to encrypt the secret towards my public key. in the case of my key lookup by fingerprint works. would you mind giving this a try?

I get that being able to decrypt is useful for debugging but we really shouldn't need to have access to these tokens beyond doing the job of transferring them GitHub to the builder. That's why I'm questioning the need to retain this?

the sops updatekeys command requires temporarily decrypting the secrets. maybe in a perfect set up we'd never update and generate new secrets instead and re-deploy all relevant machines. it seems like a leap from here and i'd like to keep the convenience of re-encrypting existing keys until we have the better solution. WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ThetaSinner PTAL at my comments above. given your changes are already deployed, i'd like to resolve this one way or another to get your PR merged to develop.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having to update keys would mean that the SSH key of the Linux builder has changed. Given that these tokens expire anyway, I don't see the problem with needing to issue a new PAT if the machine's identity changes. It doesn't seem like a lift to me, it just works and is something to be aware of if the SSH key for the Linux builder changes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having to update keys would mean that the SSH key of the Linux builder has changed.

also that we've added another machine. agreed that it works to create a new PAT. it does make (disaster recovery) deployment slightly slower as i've had issues with new PATs in the past with missing permissions. i think i'm getting clarity that the quick and reliably generation of a minimally scoped PAT is the crux here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#90

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I relied on the GH UI to tell me what permissions the new token needed - it shows you what was available to the previous token even though you can't get at the token value. E.g. one of my tokens

image

age:
- age:
- *linux-builder-01
- path_regex: ^secrets/nomad/.+$
key_groups:
Expand Down
8 changes: 4 additions & 4 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion modules/flake-parts/nixosConfigurations.linux-builder-01/configuration.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@
};

sops.secrets.github-runners-token = {
key = "gh_hra2_pat3";
key = "gh_hra2_pat5";
sopsFile = ../../../secrets/${config.networking.hostName}/secrets.yaml;
};

Expand Down
55 changes: 20 additions & 35 deletions secrets/linux-builder-01/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,21 @@
gh_hra2_pat3: ENC[AES256_GCM,data:UkBtRQgM55xhRdLxk7ltphXYkl+JbQ4DsxxXCI4T2CclsAIty504pQ==,iv:9AQlv13e15/Sg+6WD/J4JBLstFap5bni2/XYYj1uVpE=,tag:CHA7uRqvwHWdx11fRP6SuQ==,type:str]
gh_hra2_pat5: ENC[AES256_GCM,data:m6UB6irVbsOcXzJiwTu/mSSIIr05LN/HleqH2ZOt3/PaURu3doTTEA==,iv:WqNNk/SkJbNcJVfhfxVirGw5VWamZXXt+FZYlHIkUoc=,tag:g2Ap+6pnIGNmG3SW0VVk2w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kxkr407jz77ljrhgsfwfmv2yvqjprc6unvx389xp2f48xj8r0vqq2wew5r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYXhtc3d0REVwekdJS1h4
cnlzOU14cVVRTU9iN2lzTWZCK1dleXpCRmhFCkMyZnloNFcvby9PQkRJS2p1U1B3
bkJHR0g5aCtUTnRKSHhvcDVIZVJGQzQKLS0tIDNjSFlXY0RGeFRFbktTU2IvVUY4
YlZ5Q2RvYmpFZDVHbU5BWDZNUlc0YlUKBRDyVNOh3WLHCPnmk3HzexDxtu5jAvsc
PE62iYCawOhKwDb2xbXH+JLZdz4VamyUbA8MsNcPjHGW2qifiiaF6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-21T18:49:10Z"
mac: ENC[AES256_GCM,data:xKGYmbdrEFTpAsu0xA8F9Q63FDQaASelGBNF4qVWMbsG9hG3hoogDwOB22jsCrXgF+b8A26El233hVFoI0LD+iWZtXi/cAgPRsjeVS5XnAsgrnFIKEMe+gJfx0PhUVqKUohN5hM1mC2xwHA4yYu3Wg4C2olfTiPio4au1D7mZLo=,iv:iLAG8UnVYXmYxNk6pR4J222+qaQhuG2vRj7wlOs9kM4=,tag:Oxfn8ps46A1jLB2LgzfE2w==,type:str]
pgp:
- created_at: "2023-07-21T18:48:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----

wcBMA0SHG/zF3227AQf/dpQdlD/Ag8AIbo+FWhbHzgiZYpYJ4k+R+2ltFyUvFi5s
mwL6DC7uuDB3NPiBfuDFkh0sYoS0n0PinXqezZaZeGncIf4gf5K+wY9Aa2GhIXdo
ldVkamidwU9BDOZIhixiBNIVJztzregjDKpqj0Nc1E8KB3DgJczaWPpZkk4lxi42
iuDq+rg+qh3z5LYN8yWhTs8XlpXqKokXOJqtqnn62PxtTl66bVCYJwMEUTl7DVey
Xd4rK7JJ5IKUjs4RVM+ueZkNOnNmC40TG9PKhLoUlDsDjwd6qfVtLZWU+rT78qoB
NfcICEqdCij3PrQx33peHPwKq9vGt9D++mxoXU0gQ9JRAdiNso6FigsQLnBZRxSZ
RMSzRYnjCCl3NO0Euze48TNb5gwICGaNuxh74s8R2XTDMK+HUqE5VxvujpsSq+Qp
RR+MrN9Xvg41l2bOZbWLQDoz
=YvPf
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kxkr407jz77ljrhgsfwfmv2yvqjprc6unvx389xp2f48xj8r0vqq2wew5r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL1lCY1RBcFJNZXVnM3Fo
RkltaWRuaG5XTS85akI1VDQ5N2gxMnBabzNFCjJMbmh2dU5CRzdIUmNyMkJFNUxJ
bVUxNmM1c3RhU3pQTGZiNnUxS1ByblEKLS0tIDRTZUk2VHIwR3RRSjlpdzErSGFH
R09NU2VzZkpZUm92VEpZbTRsTXB6b28KmZg12nSwqdQCJJg4EsVAAe76nYzc8tNG
0t0k4zNHN+Dcd2JF+RjmqdpUAHHxqH9Gwi2tJAcVLavrxnEEhRdzag==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-03T10:49:03Z"
mac: ENC[AES256_GCM,data:JrtBIQsJTrT95UsLChI3JGRORhuZCMjf96/dmGiLqkZ1oFNOqh4Mr7eJjPX/PUpGntzjkU0GCPeZnqOj69P/AZEkJ7wa79/F/Roy4yd9gy7sYPnxHY6BmNjSV3AzhiGcHdLppr9c90yhUcDGuVB0NKPE9Yc97PqCnnS6rxD9qUo=,iv:5TDvy7KaBIgkKLI5danB+svNlDV6Zs1/VmonXQWSk1U=,tag:Sp7RNb/TJeWq5nadUiL8Ng==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1