Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service Principal used by infra.ci.jenkins.io to spawn Azure agents expires on 2024-03-22 #4000

Closed
lemeurherve opened this issue Mar 19, 2024 · 4 comments
Closed

Service Principal used by infra.ci.jenkins.io to spawn Azure agents expires on 2024-03-22 #4000

lemeurherve opened this issue Mar 19, 2024 · 4 comments
Assignees
@dduportal
Labels
infra.ci.jenkins.io
Milestone
infra-team-sync-2...

Comments

@lemeurherve
Copy link
Member

Service(s)

infra.ci.jenkins.io

Summary

The SP password end date is set to 2024-03-22:

https://github.com/jenkins-infra/azure/blob/1c14ad33dfbf32f96755346fdba2915be0a4989b/infra.ci.jenkins.io.tf#L44-L48

It needs to be updated, then the corresponding credentials must be updated in chart-secrets (private repo).

Reproduction steps

No response
@lemeurherve lemeurherve added the triage Incoming issues that need review label Mar 19, 2024
@dduportal dduportal removed the triage Incoming issues that need review label Mar 19, 2024
@dduportal dduportal self-assigned this Mar 20, 2024
dduportal added a commit to jenkins-infra/azure that referenced this issue Mar 20, 2024
@dduportal
feat(infra.ci.jenkins.io) rotate Jenkins Azure VM Service Principal
c93febe 
Ref. jenkins-infra/helpdesk#4000

This PR changes the end date of this service principal used by infra.ci.jenkins.io to spin up Azure VM agents to rotate it (regular routine)
@dduportal dduportal mentioned this issue Mar 20, 2024
Merged
@dduportal
Copy link
Contributor

Opened jenkins-infra/azure#648 to rotate (by extending expiration date of 3 months) the credential

dduportal added a commit to jenkins-infra/azure that referenced this issue Mar 20, 2024
@dduportal
feat(infra.ci.jenkins.io) rotate Jenkins Azure VM Service Principal (#…
6b23db4 
…648)

Ref. jenkins-infra/helpdesk#4000

This PR changes the end date of this service principal used by
infra.ci.jenkins.io to spin up Azure VM agents to rotate it (regular
routine)
@dduportal
Copy link
Contributor

Weird: the Azure console was still showing the old SP password while terrafomr (and Azure API) showed the new one.

Old password value was invalid and revoked (which is good) but no new value visible though. Might be an Azure weirdness.

Out of caution, we deleted the existing SP password (not the SP!) and ran the terraform azure job a second time to create the new credential with success

@dduportal
Copy link
Contributor

  • Update the credential manually in infra.ci and tested it through the associated button
  • Updated the credential in sops , pushed the change and kubernetes-management is currently re-deploying secrets

=> waiting 4 hours before closing (time to ensure any leftover in-memory Azure token are rotated to use the new SP)

@dduportal
Copy link
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dduportal dduportal

Labels
infra.ci.jenkins.io
Projects
None yet
Milestone
infra-team-sync-2024-04-02
Development

No branches or pull requests
2 participants
@dduportal @lemeurherve