Scrub tracked secrets and switch ATVM docs to local credential references
- remove hardcoded credentials, tokens, registration codes, and similar secret values from tracked ATVM and CDS MCP docs - replace those values with references to /home/aw/code/cds/.env.credentials.local and the corresponding environment variable names - update current operator guides to instruct sourcing .env.credentials.local before credential-dependent setup and automation workflows - update the ATVM setup scripts to consume ATVM_TARGET_PASSWORD from the environment instead of hardcoding the Ubuntu root SSH password - scrub the remaining tracked artifact log entry that still included the old CMC registration code - keep the local-only credential inventory in .env.credentials.local while leaving that file untracked
This commit is contained in:
@@ -16,6 +16,8 @@
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
ATVM_ROOT_SSH_PASSWORD="${ATVM_TARGET_PASSWORD:-}"
|
||||
|
||||
# Colors for output
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
@@ -432,7 +434,12 @@ configure_ubuntu_root_ssh_access() {
|
||||
|
||||
print_warning "Ubuntu-specific workflow: configuring root account for SSH password login"
|
||||
|
||||
echo "root:cdsi2012" | ${SUDO_CMD} chpasswd
|
||||
if [[ -z "$ATVM_ROOT_SSH_PASSWORD" ]]; then
|
||||
print_error "ATVM_TARGET_PASSWORD must be set before running the Ubuntu root SSH workflow"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "root:${ATVM_ROOT_SSH_PASSWORD}" | ${SUDO_CMD} chpasswd
|
||||
${SUDO_CMD} passwd -u root >/dev/null 2>&1 || true
|
||||
print_info "Root password set to configured workflow value"
|
||||
|
||||
@@ -464,7 +471,7 @@ EOF"
|
||||
|
||||
ROOT_SSH_CONFIGURED=true
|
||||
print_info "Root SSH/password workflow configured for Ubuntu"
|
||||
print_info "Next operator step: reconnect as root with password cdsi2012"
|
||||
print_info "Next operator step: reconnect as root using the ATVM_TARGET_PASSWORD value"
|
||||
}
|
||||
|
||||
#==============================================================================
|
||||
@@ -1453,7 +1460,7 @@ print_final_summary() {
|
||||
"
|
||||
summary_output+=" * PasswordAuthentication enabled
|
||||
"
|
||||
summary_output+=" * Reconnect as root/cdsi2012 for root-only workflow
|
||||
summary_output+=" * Reconnect as root using the ATVM_TARGET_PASSWORD value for root-only workflow
|
||||
"
|
||||
else
|
||||
summary_output+="[SKIP] Step 2: Ubuntu Root SSH Access Configuration
|
||||
@@ -1697,7 +1704,7 @@ After hash match is confirmed on controller:
|
||||
echo " * Root password set to workflow value"
|
||||
echo " * PermitRootLogin enabled"
|
||||
echo " * PasswordAuthentication enabled"
|
||||
echo " * Reconnect as root/cdsi2012 for root-only workflow"
|
||||
echo " * Reconnect as root using the ATVM_TARGET_PASSWORD value for root-only workflow"
|
||||
else
|
||||
echo -e "${YELLOW}[SKIP] Step 2: Ubuntu Root SSH Access Configuration${NC}"
|
||||
echo " * Not applied"
|
||||
|
||||
@@ -2,9 +2,18 @@
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
WORKSPACE_ROOT="${WORKSPACE_ROOT:-/home/aw/code/cds}"
|
||||
ENV_CREDENTIALS_FILE="${ENV_CREDENTIALS_FILE:-$WORKSPACE_ROOT/.env.credentials.local}"
|
||||
|
||||
if [[ -f "$ENV_CREDENTIALS_FILE" ]]; then
|
||||
# Load local-only credential defaults for controller-side SSH and remote setup.
|
||||
# shellcheck disable=SC1090
|
||||
source "$ENV_CREDENTIALS_FILE"
|
||||
fi
|
||||
|
||||
REMOTE_IP_PRIMARY="${REMOTE_IP_PRIMARY:-192.168.0.121}"
|
||||
REMOTE_IP_SECONDARY="${REMOTE_IP_SECONDARY:-192.168.3.191}"
|
||||
REMOTE_USER="${REMOTE_USER:-root}"
|
||||
REMOTE_USER="${REMOTE_USER:-${ATVM_TARGET_USER:-root}}"
|
||||
PROJECT_DIR="${PROJECT_DIR:-/home/aw/code/atvm}"
|
||||
LOCAL_LOG_DIR="${LOCAL_LOG_DIR:-$PROJECT_DIR/log}"
|
||||
LOCAL_SETUP_SCRIPT="${LOCAL_SETUP_SCRIPT:-$PROJECT_DIR/atvm_setup_script.sh}"
|
||||
@@ -14,6 +23,7 @@ WAIT_TIMEOUT_SECONDS="${WAIT_TIMEOUT_SECONDS:-600}"
|
||||
MODE="${1:-run-and-collect}"
|
||||
EXPECTED_IP_ARG="${EXPECTED_IP_ARG:-}"
|
||||
EXPECTED_HOSTNAME_ARG="${EXPECTED_HOSTNAME_ARG:-}"
|
||||
ATVM_PASSWORD="${ATVM_PASSWORD:-${ATVM_TARGET_PASSWORD:-}}"
|
||||
|
||||
SSH_OPTS=(-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=5)
|
||||
|
||||
@@ -157,7 +167,7 @@ if [[ "$MODE" == "run-and-collect" ]]; then
|
||||
|
||||
echo "Running remote setup script on ${INITIAL_HOST} (disconnect is expected during IP/reboot steps)"
|
||||
set +e
|
||||
run_ssh "$INITIAL_HOST" "chmod +x '$REMOTE_SETUP_SCRIPT' && bash '$REMOTE_SETUP_SCRIPT' --expected-ip '$EXPECTED_IP_ARG' --expected-hostname '$EXPECTED_HOSTNAME_ARG'"
|
||||
run_ssh "$INITIAL_HOST" "chmod +x '$REMOTE_SETUP_SCRIPT' && ATVM_TARGET_PASSWORD='${ATVM_TARGET_PASSWORD:-}' bash '$REMOTE_SETUP_SCRIPT' --expected-ip '$EXPECTED_IP_ARG' --expected-hostname '$EXPECTED_HOSTNAME_ARG'"
|
||||
run_status=$?
|
||||
set -e
|
||||
if (( run_status != 0 )); then
|
||||
|
||||
Reference in New Issue
Block a user