Alexandros Kosiaris has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/382608 )
Change subject: Deployment pipeline profile
......................................................................
Deployment pipeline profile
Creates a new profile for build pipeline hosts for CI. This profile
should be applied to production hosts to limit access to push
credentials.
This creates and places a small wrapper script around docker-push so
that credentials will only be readable by those with root permissions on
the production hosts.
Bug: T173128
Bug: T176896
Depends-On: I1a428095137600a36598ca145d8169a4dac64413
Change-Id: Ifabeec98d672768db80f722cf8df8e4d9d8b1fd0
---
A modules/docker_pusher/files/docker_pusher.sh
A modules/docker_pusher/manifests/init.pp
M modules/profile/manifests/ci/docker.pp
A modules/profile/manifests/ci/pipeline.pp
M modules/profile/manifests/ci/slave.pp
M modules/role/manifests/ci/master.pp
6 files changed, 58 insertions(+), 4 deletions(-)
Approvals:
Alexandros Kosiaris: Verified; Looks good to me, approved
diff --git a/modules/docker_pusher/files/docker_pusher.sh
b/modules/docker_pusher/files/docker_pusher.sh
new file mode 100644
index 0000000..1d399c1
--- /dev/null
+++ b/modules/docker_pusher/files/docker_pusher.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# docker-pusher is meant as a wrapper to protect credentials inside
+# /etc/docker-pusher/config.json.
+/usr/bin/docker --config /etc/docker-pusher push "$@"
diff --git a/modules/docker_pusher/manifests/init.pp
b/modules/docker_pusher/manifests/init.pp
new file mode 100644
index 0000000..0bf473f
--- /dev/null
+++ b/modules/docker_pusher/manifests/init.pp
@@ -0,0 +1,38 @@
+# == Class docker_pusher
+#
+# Installs small push script used by CI
+class docker_pusher(
+ $docker_pusher_user,
+) {
+ file { '/etc/docker-pusher':
+ ensure => 'directory',
+ owner => 'root',
+ group => 'root',
+ mode => '0400',
+ }
+
+ file { '/etc/docker-pusher/config.json':
+ ensure => 'present',
+ owner => 'root',
+ group => 'root',
+ mode => '0400',
+ content => secret('docker-pusher/config.json'),
+ show_diff => false,
+ }
+
+ file { '/usr/local/bin/docker-pusher':
+ ensure => 'present',
+ owner => 'root',
+ group => 'root',
+ mode => '0700',
+ source => 'puppet:///modules/docker_pusher/docker_pusher.sh',
+ }
+
+ sudo::user { "sudo ${docker_pusher_user} docker-pusher":
+ user => $docker_pusher_user,
+ privileges => [
+ 'ALL=(root) NOPASSWD: /usr/local/bin/docker-pusher *',
+ ]
+ }
+}
+
diff --git a/modules/profile/manifests/ci/docker.pp
b/modules/profile/manifests/ci/docker.pp
index fa5c784..55107a4 100644
--- a/modules/profile/manifests/ci/docker.pp
+++ b/modules/profile/manifests/ci/docker.pp
@@ -5,6 +5,9 @@
class profile::ci::docker(
$jenkins_agent_username = hiera('jenkins_agent_username'),
) {
+ # We will need to build containers in production
+ require_package('blubber')
+
apt::repository { 'thirdparty-ci':
uri => 'http://apt.wikimedia.org/wikimedia',
dist => "${::lsbdistcodename}-wikimedia",
diff --git a/modules/profile/manifests/ci/pipeline.pp
b/modules/profile/manifests/ci/pipeline.pp
new file mode 100644
index 0000000..b8268fe
--- /dev/null
+++ b/modules/profile/manifests/ci/pipeline.pp
@@ -0,0 +1,11 @@
+# == profile::ci::pipeline
+#
+# Profile that makes necessary provisions for building containers for
+# production.
+class profile::ci::pipeline(
+ $docker_pusher_user = hiera('jenkins_agent_username'),
+) {
+ class{ '::docker_pusher':
+ docker_pusher_user => $docker_pusher_user,
+ }
+}
diff --git a/modules/profile/manifests/ci/slave.pp
b/modules/profile/manifests/ci/slave.pp
index 751d01f..adfbb06 100644
--- a/modules/profile/manifests/ci/slave.pp
+++ b/modules/profile/manifests/ci/slave.pp
@@ -10,11 +10,7 @@
class profile::ci::slave {
include contint::packages::base
include contint::slave_scripts
- include ::profile::ci::docker
include ::profile::zuul::cloner
-
- # We will need to build containers in production
- require_package('blubber')
class { 'jenkins::slave':
# Master connect to itself via the fqdn / primary IP ipaddress
diff --git a/modules/role/manifests/ci/master.pp
b/modules/role/manifests/ci/master.pp
index d5a7547..26d6c33 100644
--- a/modules/role/manifests/ci/master.pp
+++ b/modules/role/manifests/ci/master.pp
@@ -19,6 +19,8 @@
include ::profile::ci::jenkins
include ::profile::ci::slave
include ::profile::ci::website
+ include ::profile::ci::docker
+ include ::profile::ci::pipeline
include ::profile::zuul::merger
include ::profile::zuul::server
}
--
To view, visit https://gerrit.wikimedia.org/r/382608
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ifabeec98d672768db80f722cf8df8e4d9d8b1fd0
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Thcipriani <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Dduvall <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Thcipriani <[email protected]>
Gerrit-Reviewer: Volans <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
