Matthew Philip Elliott requested to merge add-db-passwords-on-lumens-start into master Jun 17, 2024

Context

The existing implementation of setting the db password, relied on an existing instance to set the DB_PASSWORD variable. However, if that service does not exist at the time of running, you will see:

TASK [Set lumensctl secrets] ***************************************************************************************************************************************************************************************************************************************************************************************
fatal: [cs-ccr-mpesw2.cern.ch]: FAILED! => {"changed": true, "cmd": "echo <our password was here>! | lumensctl secret -S lhc-hwc-acctesting-server-dev -V ACCTESTING_DB_SECRET", "delta": "0:00:00.110334", "end": "2024-06-14 16:55:38.284848", "msg": "non-zero return code", "rc": 3, "start": "2024-06-14 16:55:38.174514", "stderr": "", "stderr_lines": [], "stdout": "No LUMENS service found: -S option did not match.", "stdout_lines": ["No LUMENS service found: -S option did not match."]}

Also see that our password was leaked to the logs.

What was done

Move the setting of the dp password once the new service is generated.
Added no_log: true.

You can see the accociated AccTesting MR here: https://gitlab.cern.ch/acc-co/mpesoft/acctesting/-/merge_requests/305

Edited Jun 17, 2024 by Matthew Philip Elliott

Set lumens secrets at start after generating

Context

What was done

Merge request reports