On 2018-01-06 14:16:35 -0500 (-0500), Paul Belanger wrote: [...] > I know we also taked about building out own DIBs for control plane > servers, which would move us to glean by default. In the past we > discussed using nodepool to build the images, but didn't want to > add passwords for rax into nodepool.o.o. That would mean a 2nd > instance of nodepool, do people think that would work? Or maybe > some sort of periodic job and store credentials in zuul secrets?
In the past we've considered the fact that none of our automation has access to our control plane provider account credentials to be a feature. There is a bit of additional risk, for example with giving Zuul jobs access to those, where a failure in security design for job secret handling could allow a malicious party to take control of Zuul itself (and far more for that matter). -- Jeremy Stanley
signature.asc
Description: PGP signature
_______________________________________________ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra