Skip to content

control-tower 0.20.0
Compare
Choose a tag to compare
@EngineerBetterCI EngineerBetterCI released this 27 May 18:25
0.20.0
a4ff095
This commit was signed with the committer’s verified signature.
crsimmons Colin Simmons
GPG key ID: 4F79781386830643
Verified
Learn about vigilant mode.

tl;dr: Migrate to using specific service account credentials for self-update pipeline

When we first introduced the self-update pipeline we followed the "simplest thing that works" approach and configured it so that the pipeline would be configured with the session credentials. In other words the AWS or GCP creds used on the last manual run of control-tower deploy would be writted into the self-update pipeline's yaml then the pipeline would be set. This isn't ideal because it means anyone with access to the main team can easily see the credentials of the person who last ran control-tower deploy in plain-text.

This release uses terraform to create a specific self-update user then loads the creds for that user into credhub so that the self-update pipeline can read them at run time. This means that not only are the session creds no longer used but also that the new creds don't show up in the update output nor in the output of fly get-pipeline.

On AWS the service user is further restricted to only have permissions when calls originate from the NAT IP of the worker VMs (i.e. when run from a Concourse task).

Dependency bumps:
director_bosh_release: 272.2.0 > 272.3.0
director_bpm_release: 1.1.17 > 1.1.18
director_stemcell_aws: 1.79 > 1.84
director_stemcell_gcp: 1.79 > 1.84

Deploys:

AWS

  • Concourse VM stemcell bosh-aws-xen-hvm-ubuntu-bionic-go_agent 1.76
  • Director stemcell bosh-aws-xen-hvm-ubuntu-bionic-go_agent 1.84
  • Concourse 7.7.1
  • BOSH 272.3.0
  • BOSH AWS CPI 93
  • BPM 1.1.18
  • Credhub 2.12.3
  • Grafana 0.0.31
  • InfluxDB 8.0.14
  • UAA 75.18.0
  • BOSH CLI 5.5.1
  • Terraform 0.11.11

GCP

  • Concourse VM stemcell bosh-google-kvm-ubuntu-bionic-go_agent 1.76
  • Director stemcell bosh-google-kvm-ubuntu-bionic-go_agent 1.84
  • Concourse 7.7.1
  • BOSH 272.3.0
  • BOSH GCP CPI 43.0.0
  • BPM 1.1.18
  • Credhub 2.12.3
  • Grafana 0.0.31
  • InfluxDB 8.0.14
  • UAA 75.18.0
  • BOSH CLI 5.5.1
  • Terraform 0.11.11

Note to build locally you will need to clone control-tower-ops (version 0.0.441) to the same level as control-tower to get the required manifests and ops files.

Assets 4
Loading