hail icon indicating copy to clipboard operation
hail copied to clipboard

Published 20 hours ago verified publisher icon hail-is

[batch] Use sops for credentials

Open lgruen opened this issue 2 years ago • 7 comments

Context: https://hail.zulipchat.com/#narrow/stream/300487-Hail-Batch-Dev/topic/ci_config.20secrets

#assign services

lgruen avatar Apr 04 '22 05:04 lgruen

@daniel-goldstein @jigold let's talk about this today/tomorrow? This seems like an improvement to me.

danking avatar Apr 11 '22 14:04 danking

Friendly ping, as merging this would help keep our fork in sync.

lgruen avatar Jun 01 '22 02:06 lgruen

@daniel-goldstein I think I am fine with this change in theory. However, it is unclear to me how this would work if we added our encoded files to the repository. Would other forks have overwrite ours each time they merged changes? Would you want me to follow the new directions in my hail-jigold test project to verify the new changes are good?

jigold avatar Jun 01 '22 20:06 jigold

Forks would indeed need to overwrite ours, but since the file wouldn't change much it seems like that's not much of a hassle to maintain, right Leo? And ya this seems like a fine change but we would need to follow up right afterward with our own credentials.

daniel-goldstein avatar Jun 27 '22 15:06 daniel-goldstein

Forks would indeed need to overwrite ours, but since the file wouldn't change much it seems like that's not much of a hassle to maintain, right Leo? And ya this seems like a fine change but we would need to follow up right afterward with our own credentials.

Yes, alternatively we could also use the GitHub organization name or something similar when constructing the file path to encrypted credentials, to avoid collisions completely. (Forks like the CPG one would only add files to their deployments.)

lgruen avatar Jun 30 '22 10:06 lgruen

I think if it's not too hard of a change, we should add the files with encoded secrets to something like infra/gcp/data/.... This makes it clear that these files have a different purpose and gives some indication that they're specific to your repo. If you want to also add prefixing the file name with the repo, then that would make it even clearer. But if it's too much work, don't bother. Maybe something like infra/gcp/data/hail-is/ etc.

jigold avatar Jun 30 '22 14:06 jigold

I think if it's not too hard of a change, we should add the files with encoded secrets to something like infra/gcp/data/.... This makes it clear that these files have a different purpose and gives some indication that they're specific to your repo. If you want to also add prefixing the file name with the repo, then that would make it even clearer. But if it's too much work, don't bother. Maybe something like infra/gcp/data/hail-is/ etc.

I've put all deployment-specific configs in an $ORGANIZATION_DOMAIN subfolder now, which hopefully should avoid any collisions.

lgruen avatar Jul 04 '22 00:07 lgruen

Just realized that this is still open. Are there any missing changes?

lgruen avatar Aug 18 '22 06:08 lgruen

I'm so sorry. I didn't see you addressed my comments about the domain. I'll double check it one last time, but I'm sure it's fine.

jigold avatar Aug 18 '22 14:08 jigold