d12b82 more protection for the update_fileserver

Authored and Committed by Theo Chatzimichos 5 years ago
    more protection for the update_fileserver
    right now every salt minion could send the update_fileserver event on
    the saltmaster. This is insecure, as we may have pushed/merged something
    in the production branch that fails the tests though. Thus instead of
    the command:
    `salt-call event.fire_master update salt/fileserver/gitfs/update`
    we will need to use from now on:
    `salt-call event.fire_master $DEPLOY_PASSWORD salt/fileserver/gitfs/update`
    The $DEPLOY_PASSWORD is a secret string that the reactor expects. How to
    get this secret:
    - The heroes can get it from pillar/secrets/role/saltmaster.sls.
    - The CI runner that runs the deploy command will get it from gitlab
      itself, as this string was added by me on the gitlab infra/salt
      repository as a secret environment variable, that is sent to CI
      runners. It is marked as protected though, which means that it will be
      sent only when the CI runner runs tests against a protected branch,
      which is only the production branch in our case.
file modified
+1 -1
file modified
+3 -0
file modified
+1 -0