Maintenance
- Domains & SSL Certificates + rotation
- Secrets
Domains & SSL Certificates
We have the following DNS records set up for the Project Portal:
- project.fusion.equinor.com
Domainsβ
Domains have to be configured in the Azure Portal. Contact the Fusion Core team to have this managed.
Certificatesβ
For each of these DNS records, we maintain SSL certificates. These need to be rotated. This procedure is automated in Radix by Certificate automation.
How we handle certificatesβ
(expand)
- DNS records setup in Fusion
- Certificates stored in Radix config
- Certificate rotation notifications
Rotating a certificateβ
For rotating an SSL certificate is automated in Radix by using Certificate automation
Secrets
Secrets are stored in multiple Azure KeyVaults dependent on application.
Each application and environment should be linked to an AppReg in AD by a provided secret. The value itself is generated in the AppReg while the secret reference is stored in KeyVault.
Secret rotation πβ
Appregs with secrets that needs manual renewal:
| Environment | App Registration | Key vault | Resource group |
|---|---|---|---|
| Feature | project-portal-feature | kv-pep-api-noe-feature | rg-project-execution-portal-noe-feature |
| project-portal-webserver-feature | kv-pep-ws-noe-feature | rg-project-execution-portal-noe-feature | |
| Production | project-portal-prod | kv-pep-api-noe-prod | rg-project-execution-portal-noe-prod |
| project-portal-webserver-prod | kv-pep-ws-noe-prod | rg-project-execution-portal-noe-prod | |
| Test | project-portal-test | kv-pep-api-noe-test | rg-project-execution-portal-noe-testΒ |
| ai-pep-ws-noe-test | kv-pep-ws-noe-test | rg-project-execution-portal-noe-test |
To replace an app secret follow these steps:
- Generate a new client secret in the app registration for the application
- Go to the keyvault
kv-pep-<env>. - Under secrets locate the
AzureAd--ClientSecret. - Create a new version
- Disable the old version(s)
- Should restart the pod in radix to test that it works
Sql serversβ
| server name | resource group | Subscription |
|---|---|---|
| sql-pep-api-noe-feature | rg-project-execution-portal-noe-sql-feature | S364-Johan Castberg Project Portal |
| sql-pep-api-noe-test | rrg-project-execution-portal-noe-sql-test | S364-Johan Castberg Project Portal |
| sql-pep-api-noe-prod | rrg-project-execution-portal-noe-sql-prod | S364-Johan Castberg Project Portal |
Key vaultsβ
| key vault name | resource group | Subscription |
|---|---|---|
| kv-pep-api-noe-feature | rg-project-execution-portal-noe-feature | S364-Johan Castberg Project Portal |
| kv-pep-noe-test | rg-project-execution-portal-noe-test | S364-Johan Castberg Project Portal |
| kv-pep-noe-prod | rg-project-execution-portal-noe-prod | S364-Johan Castberg Project Portal |
| kv-pep-noe-shared | rg-project-execution-portal-noe-shared | S364-Johan Castberg Project Portal |
Steps to rotate sql passwordβ
Start by activating the contributor role on the S364-Johan Castberg Project Portal subscription
- Go to the sql server in azure.
- Click the reset password in the top right of the screen
- Generate a new password using a password manager like e.g keeper. (careful not to have any
;,{,}characters in your password) - Enter the secrets tab of the corresponding keyvault
- Copy the secret value of the ConnectionStrings--ProjectPortalContext
- Update the password section of the connection string with the new password
- Create a new version of the secret
ConnectionStrings--ProjectPortalContextand paste the connection-string with the new password as secret-value - Restart the pods in radix and test that everything still works
- Open the secrets tab in
kv-pep-noe-shared, update the corresponding sql-password (Create new version). Set the expiration to 12 months
Changelog Actionβ
When a modification occurs within the primary branch of our central repository, fusion-project-portal, it automatically triggers the update of the changelog file in our internal documentation repository, named fusion-project-portal-internal This seamless process is facilitated by an API_TOKEN_GITHUB, which requires regular maintenance and is subject to expiration.
To ensure uninterrupted functionality, it is essential to replace the existing API_TOKEN_GITHUB with a fresh one. You can acquire a new API_TOKEN_GITHUB by visiting this link and granting it the 'repo' permission. After obtaining the new token, remember to update the corresponding secret in the Secrets section of your repository options.