From 3d87a6fdd4881cd8ba12aa4b187796c3137a510f Mon Sep 17 00:00:00 2001 From: Marvin Frommhold Date: Thu, 22 Jan 2026 11:40:05 +0100 Subject: [PATCH 1/4] complement credential handling of official compliance check pipeline Signed-off-by: Marvin Frommhold --- standards/certification/pipeline.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/standards/certification/pipeline.md b/standards/certification/pipeline.md index 0fbbd53ea1..9dfce8e818 100644 --- a/standards/certification/pipeline.md +++ b/standards/certification/pipeline.md @@ -108,11 +108,16 @@ We are going to create a pull request that is very similar to real-life example Again, insert your subject so that the list (after `gx-scs`) remains sorted. -4. Finally, add secrets to [.zuul.d/secure.yaml](https://github.com/SovereignCloudStack/standards/blob/main/.zuul.d/secure.yaml). +4. Finally, add application credentials to [.zuul.d/secure.yaml](https://github.com/SovereignCloudStack/standards/blob/main/.zuul.d/secure.yaml). This is necessary so the tests can access your cloud. - This step is the most involved, and you can always have us do it for you; in that case, please send us - the application credential id and secret via an encrypted channel, e.g. Matrix. + :::info + + When the application credentials expire, the test results in the [official pipeline](https://docs.scs.community/standards/certification/overview#compliant-cloud-environments) will turn red (MISS). This may also have a negative impact on a currently valid certification. There are two options to avoid this: + - It is recommended to use non-expiring application credentials. This ensures that renewal is not forgotten. You can withdraw them actively in case of a breach or any other reason you no longer want the official pipeline to access your cloud. + - Alternatively, application credentials that are about to expire must be renewed regularly via a pull request, as shown in this [PR example](https://github.com/SovereignCloudStack/standards/pull/1049). Please note that the renewal is your responsibility. + + ::: To proceed, you need `zuul-client` installed: @@ -169,10 +174,12 @@ We are going to create a pull request that is very similar to real-life example ### for SCS-compatible IaaS -Note: you may have to adapt these instructions to your infrastructure. For instance, the secrets +:::note + +You may have to adapt these instructions to your infrastructure. For instance, the application credentials we create here are stored locally. If you want to include the check suite into your own continuous-integration pipeline, you may want to use some dedicated credential store and mechanism for -injecting secrets. +injecting application credentials. You may want to take inspiration from our own Zuul setup by looking at [.zuul.d](https://github.com/SovereignCloudStack/standards/tree/main/.zuul.d) and @@ -180,6 +187,8 @@ You may want to take inspiration from our own Zuul setup by looking at However, don't be overwhelmed by the complexities of Zuul; it's well possible to use other solutions, including a cronjob. +::: + 1. Install requirements. ```shell From eca31121fa7c9c56d1f841008712b07a15d4c3c9 Mon Sep 17 00:00:00 2001 From: Marvin Frommhold Date: Thu, 22 Jan 2026 12:07:01 +0100 Subject: [PATCH 2/4] revert wording changes Signed-off-by: Marvin Frommhold --- standards/certification/pipeline.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/standards/certification/pipeline.md b/standards/certification/pipeline.md index 9dfce8e818..3a5535bd48 100644 --- a/standards/certification/pipeline.md +++ b/standards/certification/pipeline.md @@ -108,7 +108,7 @@ We are going to create a pull request that is very similar to real-life example Again, insert your subject so that the list (after `gx-scs`) remains sorted. -4. Finally, add application credentials to [.zuul.d/secure.yaml](https://github.com/SovereignCloudStack/standards/blob/main/.zuul.d/secure.yaml). +4. Finally, add secrets to [.zuul.d/secure.yaml](https://github.com/SovereignCloudStack/standards/blob/main/.zuul.d/secure.yaml). This is necessary so the tests can access your cloud. :::info @@ -179,7 +179,7 @@ We are going to create a pull request that is very similar to real-life example You may have to adapt these instructions to your infrastructure. For instance, the application credentials we create here are stored locally. If you want to include the check suite into your own continuous-integration pipeline, you may want to use some dedicated credential store and mechanism for -injecting application credentials. +injecting secrets. You may want to take inspiration from our own Zuul setup by looking at [.zuul.d](https://github.com/SovereignCloudStack/standards/tree/main/.zuul.d) and From 52fa4451356534d1efffbbcf8d741404e79bfa83 Mon Sep 17 00:00:00 2001 From: Marvin Frommhold Date: Thu, 22 Jan 2026 12:15:29 +0100 Subject: [PATCH 3/4] revert admonition Signed-off-by: Marvin Frommhold --- standards/certification/pipeline.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/standards/certification/pipeline.md b/standards/certification/pipeline.md index 3a5535bd48..4870c9435c 100644 --- a/standards/certification/pipeline.md +++ b/standards/certification/pipeline.md @@ -174,9 +174,7 @@ We are going to create a pull request that is very similar to real-life example ### for SCS-compatible IaaS -:::note - -You may have to adapt these instructions to your infrastructure. For instance, the application credentials +Note: you may have to adapt these instructions to your infrastructure. For instance, the secrets we create here are stored locally. If you want to include the check suite into your own continuous-integration pipeline, you may want to use some dedicated credential store and mechanism for injecting secrets. @@ -187,8 +185,6 @@ You may want to take inspiration from our own Zuul setup by looking at However, don't be overwhelmed by the complexities of Zuul; it's well possible to use other solutions, including a cronjob. -::: - 1. Install requirements. ```shell From b299e62ade1d58fe48180f8dbd163263753bbaff Mon Sep 17 00:00:00 2001 From: Marvin Frommhold Date: Thu, 22 Jan 2026 14:00:44 +0100 Subject: [PATCH 4/4] revise credential handling wording MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matthias Büchse Signed-off-by: Marvin Frommhold --- standards/certification/pipeline.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/standards/certification/pipeline.md b/standards/certification/pipeline.md index 4870c9435c..ee672a362f 100644 --- a/standards/certification/pipeline.md +++ b/standards/certification/pipeline.md @@ -113,9 +113,10 @@ We are going to create a pull request that is very similar to real-life example :::info - When the application credentials expire, the test results in the [official pipeline](https://docs.scs.community/standards/certification/overview#compliant-cloud-environments) will turn red (MISS). This may also have a negative impact on a currently valid certification. There are two options to avoid this: - - It is recommended to use non-expiring application credentials. This ensures that renewal is not forgotten. You can withdraw them actively in case of a breach or any other reason you no longer want the official pipeline to access your cloud. - - Alternatively, application credentials that are about to expire must be renewed regularly via a pull request, as shown in this [PR example](https://github.com/SovereignCloudStack/standards/pull/1049). Please note that the renewal is your responsibility. + In case your secrets have an expiration date, it is your own responsibility + to update the secrets here in a timely fashion with a suitable PR + ([example](https://github.com/SovereignCloudStack/standards/pull/1049)); + otherwise you risk losing your certification! :::