-
Notifications
You must be signed in to change notification settings - Fork 0
/
initial_credentials.yaml
234 lines (234 loc) · 7.18 KB
/
initial_credentials.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
---
system:
- domain:
name: "VBC Bitbucket"
description: "VBC Bitbucket git repositories"
includes: "bitbucket.vbc.ac.at, bitbucket.imp.ac.at"
credentials:
- type: usernamepassword
scope: GLOBAL
id: "svc-bitbucket-access-user-passwd"
username:
password:
description: "Bitbucket https API credentials for discovery"
onepass:
- target: password
item: svc_bitbucket_access
vault: accounts
field: password
- target: username
item: svc_bitbucket_access
vault: accounts
field: username
- type: sshprivatekey
scope: GLOBAL
id: "svc-bitbucket-access-ssh"
username:
# Doable, but not recommended
passphrase:
privatekey:
description: "SSH Credentials for Bitbucket checkouts"
onepass:
- target: privatekey
item: svc_bitbucket_access
vault: accounts
section: 'SSH'
field: private_open
- target: username
item: svc_bitbucket_access
vault: accounts
field: username
- domain:
name: "Github"
description: "Github API"
includes: "api.github.com, *.github.com"
credentials:
- scope: SYSTEM
id: "github-gmi-hook-admin"
type: string
# Load from Environment Variable
secret:
description: "Github GMI org hook manager"
onepass:
- target: secret
item: 'Github GMI hook admin'
vault: accounts
field: password
- scope: SYSTEM
id: "github-1001genomes-hook-admin"
type: string
# Load from Environment Variable
secret:
description: "Github 1001genomes hook manager"
onepass:
- target: secret
item: '1001 genomes project'
vault: accounts
section: github
field: token
- domain:
name: "Artifactory"
description: "Artifactory build result uploads"
includes: "*.artifactory.vbc.ac.at, *.artifactory.imp.ac.at, artifactory.vbc.ac.at, artifactory.imp.ac.at"
credentials:
- scope: GLOBAL
id: "jenkins_artifactory_creds"
type: usernamepassword
username: "svc_jenkins_docker"
# Load from Environment Variable
password:
description: "Artifactory upload password"
onepass:
- target: password
item: svc_jenkins_docker
vault: accounts
field: password
- domain:
name: "Jenkins Nodes"
description: "Jenkins builder nodes"
includes: "it-builder-*.vbc.ac.at, it-build-clip-*.vbc.ac.at"
credentials:
- scope: SYSTEM
id: "jenkins-nodes-ssh-key"
type: sshprivatekey
username: "svc_jenkins_docker"
# Doable, but not recommended
passphrase: ""
description: "SSH Credentials for Jenkins build nodes"
privatekey:
onepass:
- target: privatekey
item: svc_jenkins_docker
vault: accounts
section: 'SSH'
field: privatekey
- domain:
name: "Tower"
description: "Access Tokens for VBC Tower"
includes: "tower.vbc.ac.at"
credentials:
- type: string
scope: GLOBAL
id: "tower-access-token-it"
secret:
description: "Tower Access Token for IT"
onepass:
- target: secret
item: svc_tower_jenkins
vault: accounts
section: 'tower token'
field: token
- domain:
name: "RedHat"
description: "Redhat registry etc"
includes: "*.redhat.io, *.redhat.com"
credentials:
- type: usernamepassword
scope: GLOBAL
id: "redhat-registry-service-account"
username:
password:
description: "RedHat container registry service account"
onepass:
- target: username
vault: hosts
item: linux_baseline
section: "registry.redhat.io"
field: name
- target: password
vault: hosts
item: linux_baseline
section: "registry.redhat.io"
field: password
# these are of (global) domain
- domain:
name: "JIRA"
description: "JIRA Access for VBC"
includes: "jira.vbc.ac.at"
credentials:
- type: usernamepassword
scope: GLOBAL
id: "svc-jira-access"
username: "svc-jira-access-user-not-existing"
# Load from Environment Variable
password: "UNDEFINED FIXME"
description: "JIRA access service user FIXME undefined yet"
folder:
it:
- credentials:
- type: usernamepassword
scope: GLOBAL
id: "svc-1password-user"
username:
password:
description: 1Password service user, username + password
onepass:
- target: username
item: '1password Service Account'
vault: accounts
field: username
- target: password
item: '1password Service Account'
vault: accounts
field: password
- type: usernamepassword
scope: GLOBAL
id: "svc-1password-domain"
username:
password:
description: 1Password service user, domain + master secret
onepass:
- target: username
item: '1password Service Account'
vault: accounts
section: 1password
field: domain
- target: password
item: '1password Service Account'
vault: accounts
section: 1password
field: secret_key
- type: file
scope: GLOBAL
id: "svc-1password-file"
path: /var/jenkins_home/onepass_boot.yaml
filename: onepassword_credentials.yml
description: "1Password service account"
# a bad workaround as currently cannot seed ssh credentials,
# see 'SSHPrivateKeyCredentials' in vbc-cicd/jobs
- type: sshprivatekey
scope: GLOBAL
id: 1001genome_deploy_ssh_key
username:
privatekey:
onepass:
- target: username
vault: accounts
item: '1001 genomes project'
section: ssh
field: username
- target: privatekey
vault: accounts
item: '1001 genomes project'
section: ssh
field: privatekey
- domain:
name: "VBC Seed repo"
description: "VBC Bitbucket git repositories"
includes: "bitbucket.vbc.ac.at, bitbucket.imp.ac.at"
credentials:
- type: sshprivatekey
scope: GLOBAL
id: "seed-git-ssh"
username: "svc_bitbucket_access"
# Doable, but not recommended
passphrase:
privatekey:
description: "SSH Credentials for seed build checkouts"
onepass:
- target: privatekey
item: 'svc_bitbucket_access'
vault: accounts
section: SSH
field: private_open
...