consensus-deployment-ansible icon indicating copy to clipboard operation
consensus-deployment-ansible copied to clipboard

Published 20 hours ago verified publisher icon parithosh

Use variables for execution explorer deployment

Open dapplion opened this issue 3 years ago • 5 comments
trafficstars

  • Generalize explorer deployment with variable.
  • Add explorer.yml to hold those variables.

Includes the variables used in https://github.com/parithosh/consensus-deployment-ansible/pull/49

@parithosh we can generalize the handling of secrets in a following PR

@parithosh I've committed a proposed explorer.yml here but please feel free to update the actual one used for mainnet-shadow-fork-7

dapplion avatar Jun 27 '22 19:06 dapplion

Our manner of secret handling involves keybase. I'm open to ansible vault secrets as an alternative, but that might need to be a deeper discussion including some others on the team.

parithosh avatar Jun 29 '22 10:06 parithosh

Our manner of secret handling involves keybase. I'm open to ansible vault secrets as an alternative, but that might need to be a deeper discussion including some others on the team.

What about having variables that depend on secrets documented in each group like

explorer.yml

# Set in secrets.yaml
# explorer_postgres_password: "{{ lookup('pipe', 'keybase fs read /keybase/team/ethereum.devops/eth2/merge-devnets/merge-devnet-3/explorer-postgres') }}"

Then in a gitignored secrets.yaml you have

explorer_postgres_password: "{{ lookup('pipe', 'keybase fs read /keybase/team/ethereum.devops/eth2/merge-devnets/merge-

And in my gitignored secrets.yaml I have the secret specified in some other way

dapplion avatar Jun 29 '22 18:06 dapplion

The issue with a generic secrets.yaml file is that every role needs to have access to all the secrets. It isn't an issue per-se, but it isn't really best practice. We can try it out if you think its a big QoL improvement, the secrets only exist in local disk anyway.

parithosh avatar Jun 30 '22 13:06 parithosh

The issue with a generic secrets.yaml file is that every role needs to have access to all the secrets. It isn't an issue per-se, but it isn't really best practice. We can try it out if you think its a big QoL improvement, the secrets only exist in local disk anyway.

Good point, getting this right and generic is tricky. Would make sense to commit something at least and them each one can customize it's local file while we figure out the best solution? You can commit your version of the file with keybase key loading

dapplion avatar Jun 30 '22 14:06 dapplion

Sure. One nice thing about the secrets.yaml approach is that its easier to switch secret management systems, you can use ansible vault, keybase or a number of other approaches without it hurting anything.

parithosh avatar Jun 30 '22 15:06 parithosh