From d882502b41c92032552ab0d507c1715bc23e9d6a Mon Sep 17 00:00:00 2001 From: Jakub Stilec Date: Thu, 1 Jul 2021 18:36:31 +0200 Subject: [PATCH 1/7] product builds secret configuration --- ...roduct-builds-dnceng-pipeline-secrets.yaml | 70 +++++++++ .vault-config/product-builds-engkeyvault.yaml | 148 ++++++++++++++++++ .vault-config/product-builds-helixprodkv.yaml | 10 ++ .../product-builds-netsourceindexvault.yaml | 13 ++ 4 files changed, 241 insertions(+) create mode 100644 .vault-config/product-builds-dnceng-pipeline-secrets.yaml create mode 100644 .vault-config/product-builds-engkeyvault.yaml create mode 100644 .vault-config/product-builds-helixprodkv.yaml create mode 100644 .vault-config/product-builds-netsourceindexvault.yaml diff --git a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml new file mode 100644 index 00000000000..c1564634866 --- /dev/null +++ b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml @@ -0,0 +1,70 @@ +storageLocation: + type: azure-key-vault + parameters: + subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 + name: dnceng-pipeline-secrets + + +secrets: + #DotNet-DotNetCli-Storage + dotnetcli-storage-key: + type: text + parameters: + description: set to never expire + + dotnetclichecksums-storage-key: + type: text + parameters: + description: set to never expire + + + #DotNet-MSRC-Storage + dotnetbuilddropsmsrc-access-key: + type: text + parameters: + description: set to never expire + + dotnetclichecksumsmsrc-storage-key: + type: text + parameters: + description: set to never expire + + dotnetclimsrc-access-key: + type: text + parameters: + description: set to never expire + + dotnetclimsrc-private-feed-url: + type: text + parameters: + description: set to never expire + + dotnetclimsrc-read-sas-token: + type: text + parameters: + description: set to never expire + + dotnetclimsrc-read-sas-token-base64: + type: text + parameters: + description: set to never expire + + dotnetfeedmsrc-private-feed-url: + type: text + parameters: + description: set to never expire + + dotnetfeedmsrc-read-sas-token-base64: + type: text + parameters: + description: set to never expire + + dotnetfeedmsrc-storage-access-key-1: + type: text + parameters: + description: set to never expire + + + + + diff --git a/.vault-config/product-builds-engkeyvault.yaml b/.vault-config/product-builds-engkeyvault.yaml new file mode 100644 index 00000000000..a12271cf274 --- /dev/null +++ b/.vault-config/product-builds-engkeyvault.yaml @@ -0,0 +1,148 @@ +storageLocation: + type: azure-key-vault + parameters: + subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 + name: EngKeyVault + +references: + helixkv: + type: azure-key-vault + parameters: + subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 + name: helixkv + +secrets: + BotAccount-dotnet-maestro-bot: + type: github-account + parameters: + Name: dotnet-maestro-bot + + #DotNet-Blob-Feed + dotnetfeed-storage-access-key-1: + type: azure-storage-key + parameters: + subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 + account: dotnetfeed + + + #Publish-Build-Assets + MaestroAccessToken: + type: maestro-access-token + parameters: + environment: maestro-prod.westus2.cloudapp.azure.com + + BotAccount-dotnet-maestro-bot-PAT: + type: github-access-token + parameters: + GitHubBotAccountSecret: BotAccount-dotnet-maestro-bot + GitHubBotAccountName: dotnet-maestro-bot + + dn-bot-dnceng-build-rw-code-rw: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-bot-dnceng-build + organization: dnceng + + akams: + type: github-oauth-secret + parameters: + appName: akams + description: set to never expire + + publishing-dnceng-devdiv-code-r-build-re: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: publishing-dnceng-devdiv-code + organization: dnceng + + dn-bot-dotnet-build-rw-code-rw: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-bot-dotnet-build + organization: dnceng + + dn-bot-all-orgs-build-rw-code-rw: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-bot-all-orgs-build + organization: dnceng + + + #DotNet-AllOrgs-Darc-Pats + dn-bot-devdiv-dnceng-rw-code-pat: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-bot-devdiv-dnceng + organization: dnceng + + + #AzureDevOps-Artifact-Feeds-Pats + dn-bot-dnceng-artifact-feeds-rw: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-bot-dnceng-artifact-feeds + organization: dnceng + + dn-bot-dnceng-universal-packages-rw: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-bot-dnceng-universal-packages + organization: dnceng + + dn-bot-all-orgs-artifact-feeds-rw: + type: azure-devops-access-token + parameters: + domainAccountName: dn-bot + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-bot-all-orgs-artifact-feeds + organization: dnceng + + + #DotNet-Symbol-Server-Pats + microsoft-symbol-server-pat: + type: azure-devops-access-token + parameters: + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: microsoft-symbol-server-pat + organization: dnceng + + symweb-symbol-server-pat: + type: azure-devops-access-token + parameters: + domainAccountSecret: + location: helixkv + name: dn-bot-account-redmond + name: dn-symweb-symbol-server-pat + organization: dnceng \ No newline at end of file diff --git a/.vault-config/product-builds-helixprodkv.yaml b/.vault-config/product-builds-helixprodkv.yaml new file mode 100644 index 00000000000..1bbe767b152 --- /dev/null +++ b/.vault-config/product-builds-helixprodkv.yaml @@ -0,0 +1,10 @@ +storageLocation: + type: azure-key-vault + parameters: + subscription: 68672ab8-de0c-40f1-8d1b-ffb20bd62c0f + name: HelixProdKV + +secrets: + HelixApiAccessToken: + type: helix-access-token + environment: helix.dot.net diff --git a/.vault-config/product-builds-netsourceindexvault.yaml b/.vault-config/product-builds-netsourceindexvault.yaml new file mode 100644 index 00000000000..0d104a8134b --- /dev/null +++ b/.vault-config/product-builds-netsourceindexvault.yaml @@ -0,0 +1,13 @@ +storageLocation: + type: azure-key-vault + parameters: + subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 + name: netsourceindexvault + + +secrets: + #source-dot-net stage1 variables + source-dot-net-stage1-blob-container-url: + type: text + parameters: + description: set to never expire From 7b09b32659966b0fa94dd1e921848c639951b60e Mon Sep 17 00:00:00 2001 From: Jakub Stilec Date: Thu, 8 Jul 2021 18:24:05 +0200 Subject: [PATCH 2/7] updated per code review comments, there are still open questions (marked as TO-DO) --- ...roduct-builds-dnceng-pipeline-secrets.yaml | 42 +++++++++++++------ .vault-config/product-builds-engkeyvault.yaml | 4 -- .vault-config/product-builds-helixprodkv.yaml | 2 +- .../product-builds-netsourceindexvault.yaml | 13 ++++-- 4 files changed, 40 insertions(+), 21 deletions(-) diff --git a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml index c1564634866..084733b027b 100644 --- a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml +++ b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml @@ -4,7 +4,6 @@ storageLocation: subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 name: dnceng-pipeline-secrets - secrets: #DotNet-DotNetCli-Storage dotnetcli-storage-key: @@ -17,7 +16,6 @@ secrets: parameters: description: set to never expire - #DotNet-MSRC-Storage dotnetbuilddropsmsrc-access-key: type: text @@ -39,32 +37,50 @@ secrets: parameters: description: set to never expire + dotnetclimsrc-connection-string: + type: azure-storage-connection-string + parameters: + storageKeySecret: dotnetclimsrc-access-key + subscription: #TO-DO + account: dotnetclimsrc + dotnetclimsrc-read-sas-token: - type: text + type: azure-storage-container-sas-uri parameters: - description: set to never expire + connectionString: dotnetclimsrc-connection-string + permissions: rl + container: #TO-DO dotnetclimsrc-read-sas-token-base64: - type: text + type: base64-encoder parameters: - description: set to never expire + secret: dotnetclimsrc-read-sas-token dotnetfeedmsrc-private-feed-url: type: text parameters: description: set to never expire - dotnetfeedmsrc-read-sas-token-base64: - type: text - parameters: - description: set to never expire - dotnetfeedmsrc-storage-access-key-1: type: text parameters: description: set to never expire + dotnetfeedmsrc-connection-string: + type: azure-storage-connection-string + parameters: + storageKeySecret: dotnetfeedmsrc-storage-access-key-1 + subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 + account: dotnetfeedmsrc + dotnetfeedmsrc-read-sas-token: + type: azure-storage-container-sas-uri + parameters: + connectionString: dotnetfeedmsrc-connection-string + permissions: r + container: #TO-DO - - + dotnetfeedmsrc-read-sas-token-base64: + type: base64-encoder + parameters: + secret: dotnetfeedmsrc-read-sas-token \ No newline at end of file diff --git a/.vault-config/product-builds-engkeyvault.yaml b/.vault-config/product-builds-engkeyvault.yaml index a12271cf274..b1b806bdceb 100644 --- a/.vault-config/product-builds-engkeyvault.yaml +++ b/.vault-config/product-builds-engkeyvault.yaml @@ -24,7 +24,6 @@ secrets: subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 account: dotnetfeed - #Publish-Build-Assets MaestroAccessToken: type: maestro-access-token @@ -83,7 +82,6 @@ secrets: name: dn-bot-all-orgs-build organization: dnceng - #DotNet-AllOrgs-Darc-Pats dn-bot-devdiv-dnceng-rw-code-pat: type: azure-devops-access-token @@ -95,7 +93,6 @@ secrets: name: dn-bot-devdiv-dnceng organization: dnceng - #AzureDevOps-Artifact-Feeds-Pats dn-bot-dnceng-artifact-feeds-rw: type: azure-devops-access-token @@ -127,7 +124,6 @@ secrets: name: dn-bot-all-orgs-artifact-feeds organization: dnceng - #DotNet-Symbol-Server-Pats microsoft-symbol-server-pat: type: azure-devops-access-token diff --git a/.vault-config/product-builds-helixprodkv.yaml b/.vault-config/product-builds-helixprodkv.yaml index 1bbe767b152..345e7e143e5 100644 --- a/.vault-config/product-builds-helixprodkv.yaml +++ b/.vault-config/product-builds-helixprodkv.yaml @@ -7,4 +7,4 @@ storageLocation: secrets: HelixApiAccessToken: type: helix-access-token - environment: helix.dot.net + environment: helix.dot.net \ No newline at end of file diff --git a/.vault-config/product-builds-netsourceindexvault.yaml b/.vault-config/product-builds-netsourceindexvault.yaml index 0d104a8134b..ad104d09955 100644 --- a/.vault-config/product-builds-netsourceindexvault.yaml +++ b/.vault-config/product-builds-netsourceindexvault.yaml @@ -4,10 +4,17 @@ storageLocation: subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 name: netsourceindexvault - secrets: + source-dot-net-stage1-connection-string: + type: azure-storage-connection-string + parameters: + subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 + account: netsourceindexstage1 + #source-dot-net stage1 variables source-dot-net-stage1-blob-container-url: - type: text + type: azure-storage-container-sas-uri parameters: - description: set to never expire + connectionString: source-dot-net-stage1-connection-string + permissions: racwdl + container: stage1F \ No newline at end of file From e104843e7a5ab9603e91815fb7c7c0b4939a6873 Mon Sep 17 00:00:00 2001 From: Jakub Stilec Date: Thu, 8 Jul 2021 18:44:25 +0200 Subject: [PATCH 3/7] fixed typo --- .vault-config/product-builds-netsourceindexvault.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.vault-config/product-builds-netsourceindexvault.yaml b/.vault-config/product-builds-netsourceindexvault.yaml index ad104d09955..c1b49124444 100644 --- a/.vault-config/product-builds-netsourceindexvault.yaml +++ b/.vault-config/product-builds-netsourceindexvault.yaml @@ -17,4 +17,4 @@ secrets: parameters: connectionString: source-dot-net-stage1-connection-string permissions: racwdl - container: stage1F \ No newline at end of file + container: stage1 \ No newline at end of file From 7534b08bbe64346b3e4fad4dd75c505c96a4b395 Mon Sep 17 00:00:00 2001 From: Jakub Stilec Date: Thu, 8 Jul 2021 18:52:29 +0200 Subject: [PATCH 4/7] updated sas uri to sas token --- .vault-config/product-builds-dnceng-pipeline-secrets.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml index 084733b027b..9d92bdc8f32 100644 --- a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml +++ b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml @@ -45,7 +45,7 @@ secrets: account: dotnetclimsrc dotnetclimsrc-read-sas-token: - type: azure-storage-container-sas-uri + type: azure-storage-container-sas-token parameters: connectionString: dotnetclimsrc-connection-string permissions: rl @@ -74,7 +74,7 @@ secrets: account: dotnetfeedmsrc dotnetfeedmsrc-read-sas-token: - type: azure-storage-container-sas-uri + type: azure-storage-container-sas-token parameters: connectionString: dotnetfeedmsrc-connection-string permissions: r From 27199e26918f570d7c6d00945bb992a14b5f46c8 Mon Sep 17 00:00:00 2001 From: Jakub Stilec Date: Mon, 12 Jul 2021 23:13:25 +0200 Subject: [PATCH 5/7] added missing parameters + better description for private feed urls --- .../product-builds-dnceng-pipeline-secrets.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml index 9d92bdc8f32..125bd3782fa 100644 --- a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml +++ b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml @@ -35,13 +35,12 @@ secrets: dotnetclimsrc-private-feed-url: type: text parameters: - description: set to never expire + description: created manually from SAS in the format https://dotnetclimsrc.azurewebsites.net/sig/{sig}/se{se} dotnetclimsrc-connection-string: type: azure-storage-connection-string parameters: storageKeySecret: dotnetclimsrc-access-key - subscription: #TO-DO account: dotnetclimsrc dotnetclimsrc-read-sas-token: @@ -49,7 +48,7 @@ secrets: parameters: connectionString: dotnetclimsrc-connection-string permissions: rl - container: #TO-DO + container: dotnet dotnetclimsrc-read-sas-token-base64: type: base64-encoder @@ -59,7 +58,7 @@ secrets: dotnetfeedmsrc-private-feed-url: type: text parameters: - description: set to never expire + description: created manually from SAS in the format https://dotnetfeedmsrc.azurewebsites.net/sig/{sig}/se{se} dotnetfeedmsrc-storage-access-key-1: type: text @@ -78,7 +77,7 @@ secrets: parameters: connectionString: dotnetfeedmsrc-connection-string permissions: r - container: #TO-DO + container: $root dotnetfeedmsrc-read-sas-token-base64: type: base64-encoder From 496edc363aded650d7f49f980d5fc8242ad61a21 Mon Sep 17 00:00:00 2001 From: Jakub Stilec Date: Tue, 13 Jul 2021 17:23:01 +0200 Subject: [PATCH 6/7] fixes after testing --- .vault-config/product-builds-dnceng-pipeline-secrets.yaml | 1 - .vault-config/product-builds-helixprodkv.yaml | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml index 125bd3782fa..6c0b90ce500 100644 --- a/.vault-config/product-builds-dnceng-pipeline-secrets.yaml +++ b/.vault-config/product-builds-dnceng-pipeline-secrets.yaml @@ -69,7 +69,6 @@ secrets: type: azure-storage-connection-string parameters: storageKeySecret: dotnetfeedmsrc-storage-access-key-1 - subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1 account: dotnetfeedmsrc dotnetfeedmsrc-read-sas-token: diff --git a/.vault-config/product-builds-helixprodkv.yaml b/.vault-config/product-builds-helixprodkv.yaml index 345e7e143e5..4dc01995c60 100644 --- a/.vault-config/product-builds-helixprodkv.yaml +++ b/.vault-config/product-builds-helixprodkv.yaml @@ -7,4 +7,5 @@ storageLocation: secrets: HelixApiAccessToken: type: helix-access-token - environment: helix.dot.net \ No newline at end of file + parameters: + environment: helix.dot.net \ No newline at end of file From bef8679b30147329ebcc62d50a204743727c81b3 Mon Sep 17 00:00:00 2001 From: Jakub Stilec Date: Tue, 13 Jul 2021 17:28:12 +0200 Subject: [PATCH 7/7] fixes after testing --- .vault-config/product-builds-engkeyvault.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.vault-config/product-builds-engkeyvault.yaml b/.vault-config/product-builds-engkeyvault.yaml index b1b806bdceb..a66d6576a3f 100644 --- a/.vault-config/product-builds-engkeyvault.yaml +++ b/.vault-config/product-builds-engkeyvault.yaml @@ -26,15 +26,15 @@ secrets: #Publish-Build-Assets MaestroAccessToken: - type: maestro-access-token + type: maestro-access-token parameters: environment: maestro-prod.westus2.cloudapp.azure.com BotAccount-dotnet-maestro-bot-PAT: type: github-access-token parameters: - GitHubBotAccountSecret: BotAccount-dotnet-maestro-bot - GitHubBotAccountName: dotnet-maestro-bot + gitHubBotAccountSecret: BotAccount-dotnet-maestro-bot + gitHubBotAccountName: dotnet-maestro-bot dn-bot-dnceng-build-rw-code-rw: type: azure-devops-access-token