On 2023-05-10 13:21:48 +0100 (+0100), Sean Mooney wrote: [...]
but that is a vailid point
the images that are uploaded to the ci providres are also publicly avaiable its been a while but i ahve actully downloaded them to try and repoduce a issue we only saw in ci in the past. so unless the subsction key was injected in the job from zuul secret it would be in the nodepool image which is publicly hosted.
The approach we took with the UA FIPS token was to add it at job run time from a Zuul secret supplied by a trusted config repo abstract job, which avoided baking it into our images, but it's still added to the job node in ways that could potentially be exposed to access by workloads in untrusted jobs inheriting from that. And yes, it *is* a complicated implementation which took months of back and forth and several false-starts to get just right. We would have preferred to avoid that entirely and do FIPS compliance testing on CentOS Stream, but that proved unstable for other reasons. -- Jeremy Stanley