Managing secrets using CERN puppet infrastructure is well documented at http://configdocs.web.cern.ch/configdocs/secrets/README.html and related pages. One thing we will assume is that you are logged in to a machine where you have access to the tbag command, e.g. aiadm.

Secrets get stored in a secure database inside the CERN network and will be available to the puppet manifest using the teigi puppet resource class.

For example if you want to store a secret file secret.txt for the hostgroup myhostgroup you can do on the command line:

tbag set --hg myhostgroup secretname --file secret.txt

This will store the secret in the secure storage. You can then deploy it in /some/secret/path by adding:

teigi::secret {"unique_resource_name":
  key => "secretname",
  path => "/some/secret/path/secret.txt",
  owner => "root",
  group => "root",
  mode  => "0400"
}

to your puppet manifest.

Make sure you have proper user, group and permissions set to make sure no one unexpected can access the secret.

Quick start

• Main page
• FAQ: CMSSW on Github
• CMS Naming, Coding, And Style Rules
• Proposing changes to CMSSW
• Setting up CMS environment using Singularity (new)
• Python virtual environment in CMSSW (new)
• CMSSW pull request approval workflow
• Collaborating with peers
• Working with CMSSW and UserCode
• Resolving conflicts & porting features
• How to use git through a proxy
• Building external packages (new)

Release Management

• CMSSW release notes
• Building a CMSSW release
• Integration Builds results
• Starting a new release cycle
• Forward ports
• Managing users and categories
• List categories and packages
• List of pending PRs
• Circle of pending PRs
• CMS-bot documentation
• CMS-bot commands

Infrastructure setup

• Monitoring
• Managing secrets with puppet
• Setting up builder machines
• Setting up builder machines [aarch64]
• Setting up builder machines [power8]
• Setting up cmsdev machines