From 97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Fri, 14 Oct 2022 16:56:55 +0000 Subject: [PATCH] Add an Ubuntu FIPS testing token OpenStack contributors have worked out a solution for enabling FIPS testing on Ubuntu nodes, which normally requires a paid subscription. The "token" field of the "openstack_ubuntu_fips" secret supplied here can be applied to a test node early during job setup by calling "pro attach {{ token }}" as root. The secret will be replaced periodically, in order to make any entitlement exfiltrated from job nodes unattractive for production use. Change-Id: I9fb9758f8deddc3c76fb22fc859291dea8cfcd43 --- zuul.d/secrets.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/zuul.d/secrets.yaml b/zuul.d/secrets.yaml index 28c66f5f08..80bf479180 100644 --- a/zuul.d/secrets.yaml +++ b/zuul.d/secrets.yaml @@ -728,3 +728,20 @@ HETs35aycMm/KTjhryPoQbsAAmVe/i/+PFcyxcMDPZHQmJcWRD+K7lJb3o18kNST410B/ FtiR0LGtDxKM1bdi57Qc3f43P4jzY3Px07SSKVFKSkuI1zSLnsZSbmWg/wBHcjllsA73L l0HItpoMi3S3KDsFajJbk2UE6NhCBD7kmsSB69L6yb7VJdKZqMAHS2BSSXIRdA= + +# Periodically rotated throw-away entitlement for FIPS support on Ubuntu +# (last issued 2022-10-14) +- secret: + name: openstack_ubuntu_fips + data: + token: !encrypted/pkcs1-oaep + - kms69XcCp7KUCa+qlAKiGo2D3C65euTB5RlvbgZsMKWRI6XoGDdsCyIYsThpBwvYss/Gx + JODZpDJyP1XF66waNXttpBT7PNRWf2B2QzpOC6nTXjI6WJ3d3q+w3tv6D7lP676ZyagUd + VhrLFZVfh0T9jCkI6nt4izwdYBJML86ilxZ4hHka3ca06IL5caAO6Dzc7iDB/+BtNO6bA + MzkkdW1JLB+00vBxYrk/GNw8Fkd6Ms1ZaxvFwElwUzjOvmqJFPRsuYwzGlKoqXOlcTF87 + luq/4sVzSNSeU9SR+d2TEJB/dH+8pq8gyHiKqce24wMXqPNAQGT7Oa/bmmcPhmInbBjjA + Pquw3SJpa754PnyVwvsJt78f3Jgd2513hbYQq90uUgjOwAbNxbaSXoyIAAW2J0GQdWfyj + F9ieouvDpZmkDCRBr/YA3XOIhdDmglUZxynjOt1aLeSVH3R2EPbE4AIp0n8A2TG2KfBfb + jPJg4FIyS0HXAaJqNy4L0nq86zzH3M7dZs60mrLiQdnjHRrkSSCrQfPBrpKI0KLSGT+l+ + FcA753WnBbBX1e4WALrn9rPp4EfGK7UqcvBBk2WOJ173cmCGpW/twvE0sI4eXvSfcaKGR + psrzBw0oBoW1Fg6ctWsAgSnwLbeKv9GLhdLq2ml04V84jrJur8+sVHXV8w6xf0=