Open Stack

On 2018-01-06 14:16:35 -0500 (-0500), Paul Belanger wrote:
[...]
> I know we also taked about building out own DIBs for control plane
> servers, which would move us to glean by default. In the past we
> discussed using nodepool to build the images, but didn't want to
> add passwords for rax into nodepool.o.o. That would mean a 2nd
> instance of nodepool, do people think that would work? Or maybe
> some sort of periodic job and store credentials in zuul secrets?

In the past we've considered the fact that none of our automation
has access to our control plane provider account credentials to be a
feature. There is a bit of additional risk, for example with giving
Zuul jobs access to those, where a failure in security design for
job secret handling could allow a malicious party to take control of
Zuul itself (and far more for that matter).
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20180108/a15c18ef/attachment-0001.sig>