The app_key config entry for zuul actually wants a path to a file, not the key content itself. Write it to disk and update the config. Do the file writing in site.pp and not puppet-zuul because it's an arbitrary filename/content. A zuul user could have zero or many github connections, and the connection data is stored in a hash in hiera, so there's not a super great way to add key writing support to puppet-zuul itself at the moment. It's also a single file. Change-Id: I43f93f59b9a82186a60734810a277edeac67bbac
3.5 KiB
- title
-
GitHub
GitHub
GitHub is a code-hosting platform that, while not used for OpenStack development, is nonetheless frequently enough used by non-OpenStack projects that OpenStack has tooling interactions with it.
At a Glance
- Hosts
-
- review.openstack.org
- Puppet
-
- https://git.openstack.org/cgit/openstack-infra/system-config/tree/
modules/openstack_project/manifests/gerrit.pp
hiera/fqdn/zuulv3.openstack.org.yaml
- Projects
- Chat
-
- #openstack-infra on freenode
Overview
There are currently three different forms of interaction with GitHub.
- Gerrit Replication
- Pull Request Closer
- OpenStack Zuul App
Gerrit Replication
Each project in gerrit is replicated on merge to a corresponding
repository in GitHub. More information on this can be found in the gerrit
document at gerrit_github_integration
.
Pull Request Closer
A cronjob is run that looks for Pull Requests that have been
erroneously submitted and closes them with a helpful message pointing
people to the documentation on Contributing
to OpenStack. More information on this can be found in the jeepyb
document at closing_pull_requests
.
OpenStack Zuul App
Zuul v3 is integrated with GitHub by way of a GitHub App. This is done
to enable OpenStack to test integration with external projects that use
GitHub for development. Information on onfiguring projects to use the
OpenStack Zuul App can be found in the zuul
page at zuul_github_projects
.
The OpenStack Zuul App is managed OpenStack Zuul Settings Page which is available to admins of the openstack-infra Organization.
The OpenStack Zuul App has an ID, a Private key, a Webhook secret and a set of OAuth Credentials which are all stored in hiera.
The ID is a numerical identifier found on the App settings page
labeled ID. The ID is placed into the
app_id
field in the github
entry in
zuul_connection_secrets
for the
zuulv3.openstack.org
FQDN.
The Private key can only be retrieved when it is generated, so in the
case it is lost a new one must be generated and the resulting value put
into hiera. The Private key content is stored as
zuul_github_app_key
in private hiera and is written to
/etc/zuul/github.key
. That path is placed into
app_key
field in the github
entry in
zuul_connections
for the zuulv3.openstack.org
FQDN.
GitHub sends JSON payloads via HTTP POST to the URL configured in the
Webhook URL setting. The current value of this setting for Zuul v3 is:
https://zuulv3.openstack.org/connection/github/payload.
It includes the configured "Webhook Secret" so that Zuul can verify that
the payload actually did come from GitHub. The "Webhook Secret" is
placed into the webhook_token
field in the
github
entry in zuul_connection_secrets
for
the zuulv3.openstack.org
FQDN.
The OAuth credentials for the OpenStack Zuul App are currently unused.