more protection for the update_fileserver
right now every salt minion could send the update_fileserver event on
the saltmaster. This is insecure, as we may have pushed/merged something
in the production branch that fails the tests though. Thus instead of
the command:
`salt-call event.fire_master update salt/fileserver/gitfs/update`
we will need to use from now on:
`salt-call event.fire_master $DEPLOY_PASSWORD salt/fileserver/gitfs/update`
The $DEPLOY_PASSWORD is a secret string that the reactor expects. How to
get this secret:
- The heroes can get it from pillar/secrets/role/saltmaster.sls.
- The CI runner that runs the deploy command will get it from gitlab
itself, as this string was added by me on the gitlab infra/salt
repository as a secret environment variable, that is sent to CI
runners. It is marked as protected though, which means that it will be
sent only when the CI runner runs tests against a protected branch,
which is only the production branch in our case.