From d12b824dbb1f60d82cfb2e4f319dbcb483dcfb22 Mon Sep 17 00:00:00 2001 From: Theo Chatzimichos Date: Nov 19 2017 17:35:37 +0000 Subject: more protection for the update_fileserver right now every salt minion could send the update_fileserver event on the saltmaster. This is insecure, as we may have pushed/merged something in the production branch that fails the tests though. Thus instead of the command: `salt-call event.fire_master update salt/fileserver/gitfs/update` we will need to use from now on: `salt-call event.fire_master $DEPLOY_PASSWORD salt/fileserver/gitfs/update` The $DEPLOY_PASSWORD is a secret string that the reactor expects. How to get this secret: - The heroes can get it from pillar/secrets/role/saltmaster.sls. - The CI runner that runs the deploy command will get it from gitlab itself, as this string was added by me on the gitlab infra/salt repository as a secret environment variable, that is sent to CI runners. It is marked as protected though, which means that it will be sent only when the CI runner runs tests against a protected branch, which is only the production branch in our case. --- diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5f68eec..cfec9b4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -42,7 +42,7 @@ test_show_highstate_against_forked_formulas: deploy_job: stage: deploy - script: sudo salt-call event.fire_master update salt/fileserver/gitfs/update + script: sudo salt-call event.fire_master $CI_DEPLOY_PASSWORD salt/fileserver/gitfs/update only: - production@infra/salt tags: diff --git a/pillar/role/saltmaster.sls b/pillar/role/saltmaster.sls index 3755aea..a9a16ac 100644 --- a/pillar/role/saltmaster.sls +++ b/pillar/role/saltmaster.sls @@ -1,3 +1,6 @@ +include: + - secrets.role.saltmaster + salt: gitfs: libgit2: diff --git a/pillar/secrets/role/saltmaster.sls b/pillar/secrets/role/saltmaster.sls new file mode 100644 index 0000000..6cb9dae --- /dev/null +++ b/pillar/secrets/role/saltmaster.sls @@ -0,0 +1,76 @@ +profile: + salt: + reactor: + update_fileserver_deploy_password: | + -----BEGIN PGP MESSAGE----- + + hQIMA6zwzgobrGmRAQ//UeAt0n0FE999/5h3j9VFsOI3Cd2VMwoXcXp348wMcFoe + rVdhFiRBteVP76oJAo+kLCwX+Laz/TXiZTeJgy/3eOmtpiG894p5c9BTQ/5AoDCq + dNwRyySExm1almku+rmswnuR/RWIYCNqxwFk26XR/gdgvJIgXDVwNAOue8UM5e6s + AD3o8nD9F9fWyUSg4UXWsObAtHbftvNuQ1QK1Hb6fFLT5wmPRhF9J2X+l2fKXabK + 53Q6bQKeLMfaBf28vtWBdy/nirORjIgnus+aF7SWydSSUOVAamH0HBmU1CK3MVg7 + hPBD6eavPeodZ+2lub5/t8sk7Jw8LG2uBj4/hOTuoir0GGkYfTwQ0rzec+CB7Nca + OKiIXCAfP53l1npEIErjo1or1ulqQYmsFEvcQ13wH5AQHf9byWqpuxIrn1ch7DTK + 4pR3CetM9YBFiMPFTfgrXbpCtn5kdzyfAwaDTRbFswut+spw8doLw/5O23TsbdWW + d+lRAsvWX2HnNaocO1+ObkfByaMBTZWxjYkF1QHlvFwqcUZs+vCeVah1hDUsbYGO + ibCXuuQV3KXXEBA21AZyfTlbSOPFMB0dtdgTaNfDCAcuRpjLtzkVC/eWkyiR1fjf + /4Mgaa2qQUBFfzEpHYO8wum0BXLfYei6cdguZJkmCI2fP1Gh8Bppz0NbRQm9Q4yF + AgwDZ1aKPJ6L0CcBD/9UjvLIR+Bw8Q3vo2LiKj8EOUE1PXxqR1xN6JlQIyi9JD4k + OvpUrgme2sERzG+T2uD0my6D3jvTnlEu5EwHAJVs6BIs1RC+wA//Y+BGuk/s4HBm + ruqv3JdF2Cla/Cgt9bdahPSAUpbPVsrFHGS9U3y9uKpOzADxPx/DgcYrL1A15F+j + MuP5t/4b0iS2Cd79uj/dl/+5WROJeMJt9yCGsRG3tpXtJSxrCPWhlroQPnS3cDwI + oBqv/qQXUZ4tlCGG9LzR29+UkmhoPjrur5FN57vetWo7bmIRywxnUxdQatz/tPrX + LtihpeSW+K4NG9WI8k0mCBsxQzZNPovlpEijXGObO8AYplJpmUSQN2iVFOqXMhzN + Ei8RPXMU1dIIQDHs1w3uiwBZwQPiTYW0Q1icevzclzZNYaofLmliYvEAOPKkRLRw + 0F5/8zKnl5p8xvFqFoe6SeHPbEwRH23sBArqxwTOogmcasPDKOw2/wDRRAI/5iPO + sxWfYU5vrDVi1xAUUsT/JO2AF9t7zDQLS9IyhYO3t89YvxTnaJLhbcjy5X6pUumZ + nIkQJ1QJqwioWh9Oc31KizoOxnDlpNv9OCfL9fP/YhjdSsaG0aKKBCeCEcAq2dM5 + AZskyBeIe+5UjD6QUDRSVf82WRdNdG0p9ldKrzS6O05TCD6Vk94J1R1U7+a7BIUC + DAP/8/F+qY2A9QEQAK/CSdaheK735kW3th8LiXJYCkTu1KIMa8mtac2PjcCjtXUZ + PGIwblq0RkgE9II4ovRHb3I8dzSBM1BibKX5w/HcHFM32FOLoFaDJUPkdMopN7H4 + G1LEgQkS7fo5sVFC/3BR2OMJXw7I+WkrvngPcW9zlaiaTZQDxCoWB3VeC6njVhoA + NMh3odqYbo4DZavcu9mg315lrI2ZtWhHgYXDF0cTblvnpWNFbs3wxiHANMoO8Ro3 + VjXBQv1LW4jEF6aUZsxdr9+Ah0/z6RxtAdTE3Qsdgt0PDL4MPUUy8LfW7T8D8DlK + kefekGHHdwuF7rROX3a06iUZLbobNEXisHdCuj034iHWqcFTmBSFAOzc63tsHZuX + W4BWN24kH8NjZQf8pK8UNVREA0pehZziGm+krM7w4Br5/aiu9fPIhew6o8DAqt9o + px8WPk1JaG4lwrmFMBVA/j/IyIcD/GnN0JZMl1QylGDE/WdyyXsiLLUd1U+tBznk + KoU1/DymVMoGZZVRleuG7MCIJOjM1dhKfYsvSYtKv+iJED2gQ4Ld9dmvzM2emKsh + vJc0fBf0bmPSkMhAS30BRbF85fHlWcfOXSdKgxd0uCPwAgYlR5byC2dudtpFah0x + H0QXbBR0W9GQzowY2qFwSxbMnnVUeEoakNomTHzuHXv6MA1yk4+AA8s5CYiPhQEM + A1H2Gg3i02J9AQf/e2gO6Q/xrn83AUnDaGubrCskLqWI681DHG/QrJnfIZB2Be1d + Ob2eE1ovmXYUOgXoNSJpK1hXbmpfTSY2U9INJmyh12vg2GdfHclXkwGQnHoWnfXs + onpbgIT8SOJ0Yz4MUbVwSgim4WKRbUEPdPDS9PPH3DOBC1jrdLNl5wpErlx/A16e + 8NYJ5+FZ6WA3PAiugTDqcVoMknlOPAA3+931N/ItPjxu7khT8kfRAf8/Wvr14VqU + CJ258XreCJjVCFE7yxuiAlvQBwOr/l59y2qE0/7Pn2E9O8I7J0/9hXNdGMWNZcc5 + RzFBgNEiIOrMSOO2OXKfXAs4ncEFRbWT9aCmM4UCDgOItwpvK+xM5hAIAIxCTqc+ + gOUX7+6WE7NXq1fCfZBgofEdfDdvFUS9R9TFJrgbKEpwYcSpjpH0pVq/Gva96P2h + LivGmIz6Kc0tyEd1Ed1Wu+afyvMKjphtG3Too0+meFYQ85MsM52Ram8fJKrpYMvd + RtdqmH8Z1zCxed/4FfirlrdEDYhOdPS0yJmX9CoSLinJ7JqqobQouMQfNijtRwRg + x9RPJZDstQ+dPRHySGwIhSq10hcLSQLG/jot72MYET/lJGA+Uzpi+xyXcZTMI5gP + h3YtO25pU7CtvSZqV/fuTefJWrgk1YG9xoDvGUbYZb6h0yV9kaM0I5Nv1SDIrcbN + JI0jtqd2HalfgzYH/RSKYpKXyZSPyn0pahzqooU+5jysdy0QVg68KziZ0jasbZTO + 3Jc9HpC5QJGFwHX9S1jeQQeQ3nFsFHlguJnn+0VgnRJ3RfdAPd1MlAU3ViifnssD + 4lQwCjT/tYItZrJk7NsfST0HvbB7LKLuMKGKDDgXk3qRc5OpHptfbyjC60YbHUl1 + oY4JRWiKEyA1w5YbdBff2sGrssaaM9jRIYUHEcLdM3dvvzXGO9Zvow0LJ+VQTTFG + tSA1ERcrQTvWvcljmqz/NAC6ikom9ZD+/ctpUqpUZCkw6Fa6tsnzb0ymYioG89UN + 15PFqBrrMyDRztwb5EHmWhGe0J32eFHTkQtIvq6FAQ4DslgfDDfB4G8QA/0da4G9 + 1oSvQKrYQbD1PPCvxrkRkMh1+5fzVpteh3voi8r2lLz0AItSfdmGxBKXdlvTNku/ + piw/HyIXPXy6gAp7OZ5X/nimLMJZaGCg7I16N+65ffwez2PKvGB3S+VMO0TLbgSf + GLdxlUL62TocMHRjVoo2J+qXJk1p1hLqc+5B1AP/Q8adz2lCy+1YQFMlQoLdSjAl + 8b8m1o0UpD3xi52JDIL2Ey3ca2ThRsXM185tViWrNKc0h/SmiSAiyWa9yNi39pXr + X4ytlUcjfWViPJwhiIz/cTbxa7BQ3XOw2NqaMZqMhajgpPg6ZQPoU+NrRrVXA6c5 + 4Tdn852IjQ2lCQT7pqmFAgwDxqaC6mPILxwBD/9i2RvqGfSXdCEBAk1JOn7W3GVX + g0Dejan3+KADq4W6kGS0gCxMtEk6YyF2sMz5Y5o1uX9DScLWD27oYWV6CX/UafiZ + nAdKNu1bu+nXzyPr/sBys5q+nCuGLcqK+4ZWzGOEXF/5xhtHSAxKE5m8JWrZT3NC + eEvCHcNS6kUxJUU5oLPnhcrX+qoKvYHzuenz6TzxIEAkEKBsespa8OheNWH69Z+5 + XLAm6vYO0ehnmswu8+kJKscd59+1++sE8YWRfuMFwT83KHZlNg5nUZyjaHk9Ll7F + Edn0SChaj0vyDmerXv9s0eBcHpJpHrFoOZ3fdWE0olHXVSO9AsoNCihMs4/CdSP1 + Umdf4hb5rgSA3pbaD0cODyVx07j0v1QNHTrze1uQ9dQf6/gFH7LxsenS5jbItvYj + t7UAjD0YXFDh6SY6EMvVFXa2LRyDO4iaHNAZ+1Z0MtDWoO+yfdV1F5jCq998HN1h + ybuxVz6/2GIDkt7Z1NEzOKDYr+0m+AXbMa6mlcdSdsGNttU5ajj+CxB99acNsFeZ + wceL9tnapIiByaNdPzx/xAHpwjmUXFeKHxIE0OrEb1Pn8KhxZXJKkr1+p09kUKik + 1cBSO/aL0CSf8Y2oAJzNHitobsXKjZPt5IFFIXK3kwto3GhkUIpkF/EwSsUVLqyu + bSqlGDf7s5Z8QvHXONJRASNyxpquV4b9K8HIhkgPeRqZUki8/dHA4BMk0wFe6ZJm + 0aZ2ARRf93SyBNMQlA6MdH7ZZO6oMHJBIFSW32cqF6kpABKPwKKY3KHSIaQjbN5V + =c/cm + -----END PGP MESSAGE----- diff --git a/salt/profile/salt/files/srv/reactor/update_fileserver.sls b/salt/profile/salt/files/srv/reactor/update_fileserver.sls index d1189bb..16d159e 100644 --- a/salt/profile/salt/files/srv/reactor/update_fileserver.sls +++ b/salt/profile/salt/files/srv/reactor/update_fileserver.sls @@ -1,3 +1,9 @@ +{%- set deploy_password = salt['pillar.get']('profile:salt:reactor:update_fileserver_deploy_password', '') -%} +{%- raw -%} +{%- set data = salt['pillar.get']('event_data') -%} +{%- if data == "{% endraw %}{{ deploy_password }}{% raw %}" -%} update_fileserver: runner.fileserver.update: [] runner.git_pillar.update: [] +{%- endif -%} +{%- endraw -%} diff --git a/salt/profile/salt/master.sls b/salt/profile/salt/master.sls index 2451da1..6ee4ee7 100644 --- a/salt/profile/salt/master.sls +++ b/salt/profile/salt/master.sls @@ -25,3 +25,4 @@ remove-etc-salt-master: /srv/reactor: file.recurse: - source: salt://profile/salt/files/srv/reactor + - template: jinja