Skip to content

open-infrastructure-labs/moc-cnv-sandbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

245 Commits

callback_plugins

callback_plugins

 
 

docs

docs

 
 

group_vars

group_vars

 
 

manifests

manifests

 
 

meeting-notes

meeting-notes

 
 

roles

roles

 
 

scripts

scripts

 
 

test_plugins

test_plugins

 
 

.gitignore

.gitignore

 
 

.gitlab-ci.yml

.gitlab-ci.yml

 
 

.gitmodules

.gitmodules

 
 

.vault_pgp_keys

.vault_pgp_keys

 
 

.vault_secret

.vault_secret

 
 

.yamllint.yml

.yamllint.yml

 
 

README.md

README.md

 
 

ansible.cfg

ansible.cfg

 
 

hosts.yml

hosts.yml

 
 

playbook-bmh.yml

playbook-bmh.yml

 
 

playbook-mailinglist.yml

playbook-mailinglist.yml

 
 

playbook-ocs.yml

playbook-ocs.yml

 
 

playbook-postinstall.yml

playbook-postinstall.yml

 
 

playbook-preinstall.yml

playbook-preinstall.yml

 
 

playbook-ssh-keys.yml

playbook-ssh-keys.yml

 
 

requirements.txt

requirements.txt

 
 

requirements.yml

requirements.yml

 
 

test-requirements.txt

test-requirements.txt

 
 

Repository files navigation

MOC CNV Sandbox

Configuration and documentation for the CNV Sandbox at the Mass Open Cloud (MOC).

Playbooks

  • playbook-preinstall.yml

    Set up provisioning host and generate the install configuration.

  • playbook-postinstall.yml

    Fetches authentication credentials from the provisioning host and then uses the OpenShift API to perform post-configuration tasks (installing certificates, configuring SSO, installing CNV, etc).

Encryption

Files with credentials and other secrets are encrypted using ansible-vault. The vault key itself is included in the repository and is encrypted using GPG to the identities listed in the [.vault_pgp_keys][] file.

Adding a new PGP key

  1. Add the key fingerprint to .vault_pgp_keys.

    We use key fingerprints rather than email addresses to ensure that we are using the correct key (you may have multiple keys with the same email address in your keychain).

  2. Run the scripts/rekey-vault-secret.sh script. This will decrypt the vault secret and then re-encrypt it to all the identities in the list.

Updating the vault secret

If you want to replace the vault secret (e.g., you think the unencrypted secret has been compromised):

  1. Run the scripts/rekey-vault-files.sh script. This will generate a new random key, use ansible-vault to rekey all vaulted files with the new key, and then encrypt the key to the identities in .vault_pgp_keys.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

7 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages