zuul/nodepool
Code Issues Proposed changes

Merge "builder: support setting diskimage env-vars in secure configuration"

Browse Source
This commit is contained in:
Zuul
2018-07-23 16:04:00 +00:00
committed by Gerrit Code Review
parent d803ffb717 eca37d13ea
commit 1b4c92262a
5 changed files with 31 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
doc/source/installation.rst
View File

@@ -58,11 +58,17 @@ The Nodepool configuration file is described in :ref:`configuration`.
There is support for a secure file that is used to store nodepool There is support for a secure file that is used to store nodepool
configurations that contain sensitive data. It currently only supports configurations that contain sensitive data. It currently only supports
specifying ZooKeeper credentials. If ZooKeeper credentials are defined in specifying ZooKeeper credentials and diskimage env-vars.
both configuration files, the data in the secure file takes precedence. If ZooKeeper credentials or diskimage env-vars are defined in both
configuration files, the data in the secure file takes precedence.
The secure file location can be changed with the ``-s`` option and follows The secure file location can be changed with the ``-s`` option and follows
the same file format as the Nodepool configuration file. the same file format as the Nodepool configuration file.
Secrets stored in diskimage env-vars may be leaked by the elements or in
the image build logs. Before using sensitive information in env-vars, please
carefully audit the elements that are enabled and ensure they are handling
the environment safely.
There is an optional logging configuration file, specified with the ``-l`` There is an optional logging configuration file, specified with the ``-l``
option. The logging configuration file can accept either: option. The logging configuration file can accept either:

10
nodepool/config.py
View File

@@ -120,6 +120,14 @@ class Config(ConfigValue):
d.username = diskimage.get('username', 'zuul') d.username = diskimage.get('username', 'zuul')
self.diskimages[d.name] = d self.diskimages[d.name] = d
def setSecureDiskimageEnv(self, diskimages, secure_config_path):
for diskimage in diskimages:
if diskimage['name'] not in self.diskimages:
raise Exception('%s: unknown diskimage %s' %
(secure_config_path, diskimage['name']))
self.diskimages[diskimage['name']].env_vars.update(
diskimage['env-vars'])
def setLabels(self, labels_cfg): def setLabels(self, labels_cfg):
if not labels_cfg: if not labels_cfg:
return return
@@ -268,3 +276,5 @@ def loadSecureConfig(config, secure_config_path):
# TODO(Shrews): Support ZooKeeper auth # TODO(Shrews): Support ZooKeeper auth
config.setZooKeeperServers(secure.get('zookeeper-servers')) config.setZooKeeperServers(secure.get('zookeeper-servers'))
config.setSecureDiskimageEnv(
secure.get('diskimages', []), secure_config_path)

5
nodepool/tests/fixtures/secure_file_secure.yaml vendored
View File

@@ -2,3 +2,8 @@ zookeeper-servers:
- host: {zookeeper_host} - host: {zookeeper_host}
port: {zookeeper_port} port: {zookeeper_port}
chroot: {zookeeper_chroot} chroot: {zookeeper_chroot}
diskimages:
- name: fake-image
env-vars:
REG_PASSWORD: secret

4
nodepool/tests/test_launcher.py
View File

@@ -1144,6 +1144,10 @@ class TestLauncher(tests.DBTestCase):
pool.start() pool.start()
self.wait_for_config(pool) self.wait_for_config(pool)
fake_image = pool.config.diskimages['fake-image']
self.assertIn('REG_PASSWORD', fake_image.env_vars)
self.assertEqual('secret', fake_image.env_vars['REG_PASSWORD'])
zk_servers = pool.config.zookeeper_servers zk_servers = pool.config.zookeeper_servers
self.assertEqual(1, len(zk_servers)) self.assertEqual(1, len(zk_servers))
key = list(zk_servers.keys())[0] key = list(zk_servers.keys())[0]

4
releasenotes/notes/secure-dib-env-c6013bab90406988.yaml Normal file
View File

@@ -0,0 +1,4 @@
---
features:
- |
Diskimages env-vars can be set in the secure.conf file.