From 748c28da2cb0b4e9613d6dd4030b12693261c156 Mon Sep 17 00:00:00 2001
From: Theo Chatzimichos <tampakrap@opensuse.org>
Date: Jan 14 2018 11:53:40 +0000
Subject: Merge branch 'deploy_saltmaster_passwd' into 'production'
add the saltmaster deploy password on the gitlab-runner's sudoers rule
See merge request infra/salt!145
---
diff --git a/pillar/role/worker_gitlab.sls b/pillar/role/worker_gitlab.sls
index bcb334b..57656f3 100644
--- a/pillar/role/worker_gitlab.sls
+++ b/pillar/role/worker_gitlab.sls
@@ -1,6 +1,2 @@
-sudoers:
- included_files:
- /etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy:
- users:
- gitlab-runner:
- - 'ALL=(ALL) NOPASSWD: /usr/bin/salt-call event.fire_master update salt/fileserver/gitfs/update'
+include:
+ - secrets.role.saltmaster
diff --git a/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy b/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
new file mode 100644
index 0000000..8e2a8b6
--- /dev/null
+++ b/salt/profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
@@ -0,0 +1,4 @@
+# Managed by Salt
+
+{% set deploy_password = salt['pillar.get']('profile:salt:reactor:update_fileserver_deploy_password', '') %}
+gitlab-runner ALL=(ALL) NOPASSWD: /usr/bin/salt-call event.fire_master {{ deploy_password }} salt/fileserver/gitfs/update
diff --git a/salt/profile/gitlab_runner/init.sls b/salt/profile/gitlab_runner/init.sls
new file mode 100644
index 0000000..adccde0
--- /dev/null
+++ b/salt/profile/gitlab_runner/init.sls
@@ -0,0 +1,5 @@
+/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy:
+ file.managed:
+ - source: salt://profile/gitlab_runner/files/etc/sudoers.d/gitlab-runner_nopasswd_saltmaster_deploy
+ - template: jinja
+ - mode: 440
diff --git a/salt/role/worker_gitlab.sls b/salt/role/worker_gitlab.sls
index 792d600..5618782 100644
--- a/salt/role/worker_gitlab.sls
+++ b/salt/role/worker_gitlab.sls
@@ -1 +1,2 @@
-#
+include:
+ - profile.gitlab_runner