CircleCI Service Account Token Rotation
When the Circle CI service account token gets rotated, the Cloud Platform team will provide comms.
1. Check and Update the pipeline_variable script
fb-deploy repository (read the the README)
You’ll need to update the bin/pipeline_variables bash script with the new token names.
There several different namespaces to get this infomation.
The first one is from the formbuilder-deploy namespace.
Run kubectl get secrets -n formbuilder-deploy
Other namespace secrets are also referenced later in the script, make sure the new token name will work in the script.
Get the secrets from the namespace.
kubectl get secrets -n <formbuilder-namespace>
2. Update the CircleCI contexts with the new tokens
In CircleCI > Org > Context > moj_forms - replace:
EKS_CLUSTER_CERT
EKS_TOKEN
Keep the base64 encoding.
The last unmasked characters may be the same. Just replace them.
Rerun the pipeline_variable script for a service in the platform namespace(s)
./bin/pipeline_variables fb-submitter
In CircleCI > Org > Context > moj-forms-platform-apps - replace:
EKS_TOKEN_LIVE_DEV
EKS_TOKEN_TEST_PRODUCTION
EKS_TOKEN_LIVE_DEV
EKS_TOKEN_LIVE_PRODUCTION
Rerun the pipeline_variable script for a service in the services namespace(s)
./bin/pipeline_variables fb-runner
In CircleCI > Org > Context > moj-forms-services-apps - replace:
EKS_TOKEN_LIVE_DEV
EKS_TOKEN_TEST_PRODUCTION
EKS_TOKEN_LIVE_DEV
EKS_TOKEN_LIVE_PRODUCTION
Again, keep the base64 encoding.
3. Update individual pipelines with the new tokens
Run the pipeline_variable script for a service deployed into another namespaces.
Then update the Environmental Variables in the pipeline settings.
Will be named something like:
EKS_TOKEN_LIVE
EKS_TOKEN_TEST
EKS_TOKEN_STAGING
Again, keep the base64 encoding.