Set lumens secrets at start after generating
Context
The existing implementation of setting the db password, relied on an existing instance to set the DB_PASSWORD
variable. However, if that service does not exist at the time of running, you will see:
TASK [Set lumensctl secrets] ***************************************************************************************************************************************************************************************************************************************************************************************
fatal: [cs-ccr-mpesw2.cern.ch]: FAILED! => {"changed": true, "cmd": "echo <our password was here>! | lumensctl secret -S lhc-hwc-acctesting-server-dev -V ACCTESTING_DB_SECRET", "delta": "0:00:00.110334", "end": "2024-06-14 16:55:38.284848", "msg": "non-zero return code", "rc": 3, "start": "2024-06-14 16:55:38.174514", "stderr": "", "stderr_lines": [], "stdout": "No LUMENS service found: -S option did not match.", "stdout_lines": ["No LUMENS service found: -S option did not match."]}
Also see that our password was leaked to the logs.
What was done
- Move the setting of the dp password once the new service is generated.
- Added
no_log: true
.
You can see the accociated AccTesting MR here: https://gitlab.cern.ch/acc-co/mpesoft/acctesting/-/merge_requests/305
Edited by Matthew Philip Elliott