Passing a secret to an openQA job

[rclobus]

Hello,

I've a question regarding passing secrets to openqa jobs. I want to pass a secret API token with openqa-cli, and could not find a suitable way to do so.

I've used the following command line:

openqa-clone-job --within-instance https://openqa.debian.net --skip-deps 357965 _SECRET_SALSA_TOKEN=glpat-ABCDEFGHIJKLMNOPQRST 'SALSA_RESULT_LINK=https://salsa.debian.org/api/v4/projects/90547/statuses/8ca3030dc6a9d05a1c99a865a08533614a76202d?pipeline_id=781746&name=oqa_qa/openqa/openqa-tests-debian:debian_nonGUI@amd64&target_url=:target_url&state=:state' SALSA_RESULT_TEST=true SALSA_PASSWORD=MyPassword

The result is:

• https://openqa.debian.net/tests/358078#settings -> SALSA_PASSWORD and _SECRET_SALSA_TOKEN are visible
• https://openqa.debian.net/tests/358078/file/vars.json -> Both secrets are removed, as is documented in the testapi documentation for set_var: "Variables starting with SECRET or including _PASSWORD will not appear in the vars.json file."

The test 't/24-worker-jobs.t' verifies that the file vars.json is scrubbed of the passwords.

However, the values for the PASSWORD and SECRET are plainly visible in the 'Settings' tab.

Did I miss something?

With kind regards,
Roland

PS: Minor nitpick: the HTML rendering of the manual (http://open.qa/api/testapi/) renders the word _SECRET_ in italics instead of as a literal.

[okurz]

The result is:

* https://openqa.debian.net/tests/358078#settings -> `SALSA_PASSWORD` and `_SECRET_SALSA_TOKEN` are visible

* https://openqa.debian.net/tests/358078/file/vars.json -> Both secrets are removed, as is documented in the testapi documentation for `set_var`: "Variables starting with _SECRET_ or including _PASSWORD will not appear in the vars.json file."

That is effectivey the current state of secret handing. That means that you can put secrets into the worker config and it will stay hidden. Hiding secrets from openQA settings would be covered by https://progress.opensuse.org/issues/105624