openshift · openshift-merge-robot · Sep 12, 2018 · Sep 3, 2018
diff --git a/Makefile b/Makefile
@@ -286,11 +286,11 @@ azure:
 	$(MAKE) apply WHAT=projects/azure/cluster-wide.yaml
 	$(MAKE) apply WHAT=projects/azure/rbac.yaml
 	# ci namespace objects
-	oc create secret generic cluster-secrets-azure --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f -
+	oc create secret generic cluster-secrets-azure-file --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f -
 	oc create configmap prow-job-cluster-launch-e2e-azure --from-file=ci-operator/templates/cluster-launch-e2e-azure.yaml -o yaml --dry-run | oc apply -n ci -f -
 
 	# azure namespace objects
-	oc create secret generic cluster-secrets-azure --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f -
+	oc create secret generic cluster-secrets-azure-env --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f -
 	oc create secret generic aws-reg-master --from-literal=username=${AWS_REG_USERNAME} --from-literal=password=${AWS_REG_PASSWORD} -o yaml --dry-run | oc apply -n azure -f -
 	oc create secret generic hmac-token --from-literal=hmac=${HMAC_TOKEN} -o yaml --dry-run | oc apply -n azure -f -
 	oc create secret generic oauth-token --from-literal=oauth=${OAUTH_TOKEN} -o yaml --dry-run | oc apply -n azure -f -

diff --git a/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-postsubmits.yaml b/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-postsubmits.yaml
@@ -37,17 +37,17 @@ postsubmits:
           name: job-definition
           subPath: cluster-launch-e2e-azure.yaml
         - mountPath: /usr/local/e2e-azure-secret
-          name: cluster-secrets-azure
+          name: cluster-secrets-azure-file
       serviceAccountName: ci-operator
       volumes:
       - configMap:
           name: prow-job-cluster-launch-e2e-azure
         name: job-definition
-      - name: cluster-secrets-azure
+      - name: cluster-secrets-azure-file
         projected:
           sources:
           - secret:
-              name: cluster-secrets-azure
+              name: cluster-secrets-azure-file
   - agent: kubernetes
     branches:
     - master
@@ -86,14 +86,14 @@ postsubmits:
           name: job-definition
           subPath: cluster-launch-e2e-azure-upgrade.yaml
         - mountPath: /usr/local/e2e-azure-secret
-          name: cluster-secrets-azure
+          name: cluster-secrets-azure-file
       serviceAccountName: ci-operator
       volumes:
       - configMap:
           name: prow-job-cluster-launch-e2e-azure-upgrade
         name: job-definition
-      - name: cluster-secrets-azure
+      - name: cluster-secrets-azure-file
         projected:
           sources:
           - secret:
-              name: cluster-secrets-azure
+              name: cluster-secrets-azure-file
diff --git a/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-presubmits.yaml b/ci-operator/jobs/openshift/openshift-azure/openshift-openshift-azure-presubmits.yaml
@@ -44,17 +44,17 @@ presubmits:
           name: job-definition
           subPath: cluster-launch-e2e-azure.yaml
         - mountPath: /usr/local/e2e-azure-secret
-          name: cluster-secrets-azure
+          name: cluster-secrets-azure-file
       serviceAccountName: ci-operator
       volumes:
       - configMap:
           name: prow-job-cluster-launch-e2e-azure
         name: job-definition
-      - name: cluster-secrets-azure
+      - name: cluster-secrets-azure-file
         projected:
           sources:
           - secret:
-              name: cluster-secrets-azure
+              name: cluster-secrets-azure-file
     trigger: ((?m)^/test( all| e2e),?(\s+|$))
   - agent: kubernetes
     always_run: true
@@ -166,17 +166,17 @@ presubmits:
           name: job-definition
           subPath: cluster-launch-e2e-azure-upgrade.yaml
         - mountPath: /usr/local/e2e-azure-secret
-          name: cluster-secrets-azure
+          name: cluster-secrets-azure-file
       serviceAccountName: ci-operator
       volumes:
       - configMap:
           name: prow-job-cluster-launch-e2e-azure-upgrade
         name: job-definition
-      - name: cluster-secrets-azure
+      - name: cluster-secrets-azure-file
         projected:
           sources:
           - secret:
-              name: cluster-secrets-azure
+              name: cluster-secrets-azure-file
     trigger: ((?m)^/test upgrade,?(\s+|$))
   - agent: kubernetes
     always_run: false
@@ -226,15 +226,15 @@ presubmits:
           name: job-definition
           subPath: cluster-launch-e2e-azure-conformance.yaml
         - mountPath: /usr/local/e2e-azure-secret
-          name: cluster-secrets-azure
+          name: cluster-secrets-azure-file
       serviceAccountName: ci-operator
       volumes:
       - configMap:
           name: prow-job-cluster-launch-e2e-azure-conformance
         name: job-definition
-      - name: cluster-secrets-azure
+      - name: cluster-secrets-azure-file
         projected:
           sources:
           - secret:
-              name: cluster-secrets-azure
+              name: cluster-secrets-azure-file
     trigger: ((?m)^/test conformance,?(\s+|$))
diff --git a/projects/azure/README.md b/projects/azure/README.md
@@ -10,7 +10,7 @@ Prow configuration is located in this repository `ci-operator/jobs/openshift/ope
 
 To run CI-Operator job manually you need to have to have [CI-Operator](https://github.com/openshift/ci-operator) installed in your path.
 Modify secret location in file `cluster-launch-e2e-azure.yaml` as below. This is because `ci-operator` set secret based on path where files are located and they are different in local development and CI server.
-``` - name: cluster-secrets-azure
+``` - name: cluster-secrets-azure-file
       secret:
          secretName: azure
 ```
@@ -25,6 +25,15 @@ ci-operator --config ci-operator/config/openshift/openshift-azure/master.yaml --
 
 # Secret rotation
 
+We use 2 types of secrets. Both of them contain the same data but in a different formats. 
+
+```
+-file - file based secret. It can be sourced by script (see ci-operator jobs code)
+-env - environment based secret. It can be injected to pod using pod spec (see azure-purge code)
+```
+
+## File secret
+
 OSA jobs are using `Web API App` credentials on Azure to run jobs. If for some reason you need to rotate secret, follow this process:
 
 1. Go to `Azure Active Directory` -> `App Registrations` -> `ci-operator-jobs` -> `Settings` -> `Keys`
@@ -41,24 +50,26 @@ export AZURE_SUBSCRIPTION_ID=<subscription id>
 4. Create a secret
 
 ```
-oc create secret generic cluster-secrets-azure --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f -	
+oc create secret generic cluster-secrets-azure-file --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n ci -f -	
 ```
 
 5. (Optional, if you dont have access to CI namespace)
 
 ```
-oc apply secret generic cluster-secrets-azure-temp --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n azure -f -
+oc apply secret generic cluster-secrets-azure-file --from-file=cluster/test-deploy/azure/secret -o yaml --dry-run | oc apply -n azure -f -
 ```
 
 and ask somebody, who has access to execute:
 
 ```
-oc get secret cluster-secrets-azure-temp --export -n azure -o yaml | sed 's/cluster-secrets-azure-temp/cluster-secrets-azure/g' | oc apply -f - -n ci
+oc get secret cluster-secrets-azure-file --export -n azure -o yaml | oc apply -f - -n ci
 ```
 
-6. Do the same for azure secret. It has slightly different format:
+## Env secret
+
+Rotate azure env secret:
 
 ```
 source ./cluster/test-deploy/azure/secret
-oc create secret generic cluster-secrets-azure --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f -
+oc create secret generic cluster-secrets-azure-env --from-literal=azure_client_id=${AZURE_CLIENT_ID} --from-literal=azure_client_secret=${AZURE_CLIENT_SECRET} --from-literal=azure_tenant_id=${AZURE_TENANT_ID} --from-literal=azure_subscription_id=${AZURE_SUBSCRIPTION_ID} -o yaml --dry-run | oc apply -n azure -f -
 ```
diff --git a/projects/azure/azure-purge/cronjob.yaml b/projects/azure/azure-purge/cronjob.yaml
@@ -22,21 +22,21 @@ spec:
             - name: AZURE_TENANT_ID
               valueFrom:
                 secretKeyRef:
-                  name: cluster-secrets-azure
+                  name: cluster-secrets-azure-env
                   key: azure_tenant_id
             - name: AZURE_SUBSCRIPTION_ID
               valueFrom:
                 secretKeyRef:
-                  name: cluster-secrets-azure
+                  name: cluster-secrets-azure-env
                   key: azure_subscription_id
             - name: AZURE_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: cluster-secrets-azure
+                  name: cluster-secrets-azure-env
                   key: azure_client_id
             - name: AZURE_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: cluster-secrets-azure
+                  name: cluster-secrets-azure-env
                   key: azure_client_secret
           restartPolicy: Never