heroes / salt

Clone
Source Code
GIT

d12b82 more protection for the update_fileserver

Authored and Committed by Theo Chatzimichos 6 years ago
raw patch tree parent
5 files changed. 87 lines added. 1 lines removed.
.gitlab-ci.yml
file modified
+1 -1
pillar/role/saltmaster.sls
file modified
+3 -0
pillar/secrets/role/saltmaster.sls
file added
+76
salt/profile/salt/files/srv/reactor/update_fileserver.sls
file modified
+6 -0
salt/profile/salt/master.sls
file modified
+1 -0 
    more protection for the update_fileserver
    
    right now every salt minion could send the update_fileserver event on
    the saltmaster. This is insecure, as we may have pushed/merged something
    in the production branch that fails the tests though. Thus instead of
    the command:
    
    `salt-call event.fire_master update salt/fileserver/gitfs/update`
    
    we will need to use from now on:
    
    `salt-call event.fire_master $DEPLOY_PASSWORD salt/fileserver/gitfs/update`
    
    The $DEPLOY_PASSWORD is a secret string that the reactor expects. How to
    get this secret:
    
    - The heroes can get it from pillar/secrets/role/saltmaster.sls.
    - The CI runner that runs the deploy command will get it from gitlab
      itself, as this string was added by me on the gitlab infra/salt
      repository as a secret environment variable, that is sent to CI
      runners. It is marked as protected though, which means that it will be
      sent only when the CI runner runs tests against a protected branch,
      which is only the production branch in our case.
file modified
+1 -1
file modified
+3 -0
file added
+76
file modified
+6 -0
file modified
+1 -0
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.