Make jenkins proposal jobs use dedicated user.

Switch all jenkins proposal jobs to a dedicated user with dedicated
credentials. This is being done to be more flexible and secure when it
comes to managing the scripts that make proposals to gerrit.

Change-Id: I2dbdd530bf5b64c14207f645512a1eb319681166

manifests/site.pp

@@ -551,10 +551,11 @@ node 'mirror33.slave.openstack.org' {
 node 'proposal.slave.openstack.org' {
   include openstack_project
   class { 'openstack_project::proposal_slave':
-    transifex_username      => 'openstackjenkins',
-    transifex_password      => hiera('transifex_password'),
-    jenkins_ssh_public_key  => $openstack_project::jenkins_ssh_key,
-    jenkins_ssh_private_key => hiera('jenkins_ssh_private_key_contents'),
+    transifex_username       => 'openstackjenkins',
+    transifex_password       => hiera('transifex_password'),
+    jenkins_ssh_public_key   => $openstack_project::jenkins_ssh_key,
+    proposal_ssh_public_key  => hiera('proposal_ssh_public_key_contents'),
+    proposal_ssh_private_key => hiera('proposal_ssh_private_key_contents'),
   }
 }
 

modules/jenkins/files/slave_scripts/merge_tags.sh

@@ -16,9 +16,9 @@ TAG=$1
 
 if $(git tag --contains origin/milestone-proposed | grep "^$TAG$" >/dev/null)
 then
-    git config user.name "OpenStack Jenkins"
-    git config user.email "jenkins@openstack.org"
-    git config gitreview.username "jenkins"
+    git config user.name "OpenStack Proposal Bot"
+    git config user.email "openstack-infra@lists.openstack.org"
+    git config gitreview.username "proposal-bot"
 
     git review -s
     git checkout master

modules/jenkins/files/slave_scripts/propose_requirements_update.sh

@@ -23,9 +23,9 @@ if [ -z "$BRANCH" ] ; then
     exit 1
 fi
 
-git config user.name "OpenStack Jenkins"
-git config user.email "jenkins@openstack.org"
-git config gitreview.username $USERNAME
+git config user.name "OpenStack Proposal Bot"
+git config user.email "openstack-infra@lists.openstack.org"
+git config gitreview.username "proposal-bot"
 
 for PROJECT in $(cat projects.txt); do
 

modules/jenkins/files/slave_scripts/propose_translation_update.sh

@@ -16,9 +16,9 @@ ORG=$1
 PROJECT=$2
 COMMIT_MSG="Imported Translations from Transifex"
 
-git config user.name "OpenStack Jenkins"
-git config user.email "jenkins@openstack.org"
-git config gitreview.username "jenkins"
+git config user.name "OpenStack Proposal Bot"
+git config user.email "openstack-infra@lists.openstack.org"
+git config gitreview.username "proposal-bot"
 
 git review -s
 

modules/jenkins/files/slave_scripts/propose_translation_update_manuals.sh

@@ -26,9 +26,9 @@ fi
 
 COMMIT_MSG="Imported Translations from Transifex"
 
-git config user.name "OpenStack Jenkins"
-git config user.email "jenkins@openstack.org"
-git config gitreview.username "jenkins"
+git config user.name "OpenStack Proposal Bot"
+git config user.email "openstack-infra@lists.openstack.org"
+git config gitreview.username "proposal-bot"
 
 git review -s
 

modules/openstack_project/manifests/proposal_slave.pp

@@ -5,7 +5,8 @@
 #
 class openstack_project::proposal_slave (
   $jenkins_ssh_public_key,
-  $jenkins_ssh_private_key,
+  $proposal_ssh_public_key,
+  $proposal_ssh_private_key,
   $transifex_password = '',
   $transifex_username = 'openstackci',
 ) {
@@ -34,6 +35,14 @@ class openstack_project::proposal_slave (
     group   => 'jenkins',
     mode    => '0400',
     require => File['/home/jenkins/.ssh'],
-    content => $jenkins_ssh_private_key,
+    content => $proposal_ssh_private_key,
+  }
+
+  file { '/home/jenkins/.ssh/id_rsa.pub':
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    mode    => '0400',
+    require => File['/home/jenkins/.ssh'],
+    content => $proposal_ssh_public_key,
   }
 }