Write secrets into their own file, not into inventory

Publishing the inventory as part of publishing logs would be handy
in debugging that everything is as one expects. However, secrets
currently go into the inventory, which means publishing it is not safe.

Write the secrets to their own file.

Also, Return errors if users try to define zuul vars or secrets. To
support that, we need to pass zuul vars as a top-level param, not inside
of vars already.

Change-Id: If58b89882a817ff219ed5f8faf2bde31cc8e1a6a
changes/90/479390/11
Monty Taylor 5 years ago
parent e4dc8771e5
commit d13bc36c52
No known key found for this signature in database
GPG Key ID: 7BAE94BC7141A594
  1. 2
      tests/base.py
  2. 2
      tests/unit/test_github_driver.py
  3. 2
      tests/unit/test_scheduler.py
  4. 6
      zuul/executor/client.py
  5. 20
      zuul/executor/server.py

@ -1308,7 +1308,7 @@ class RecordingExecutorServer(zuul.executor.server.ExecutorServer):
self.running_builds.append(build)
self.job_builds[job.unique] = build
args = json.loads(job.arguments)
args['vars']['zuul']['_test'] = dict(test_root=self._test_root)
args['zuul']['_test'] = dict(test_root=self._test_root)
job.arguments = json.dumps(args)
self.job_workers[job.unique] = RecordingAnsibleJob(self, job)
self.job_workers[job.unique].run()

@ -46,7 +46,7 @@ class TestGithubDriver(ZuulTestCase):
self.getJobFromHistory('project-test2').result)
job = self.getJobFromHistory('project-test2')
zuulvars = job.parameters['vars']['zuul']
zuulvars = job.parameters['zuul']
self.assertEqual(A.number, zuulvars['change'])
self.assertEqual(A.head_sha, zuulvars['patchset'])
self.assertEqual(1, len(A.comments))

@ -2757,7 +2757,7 @@ class TestScheduler(ZuulTestCase):
for build in self.history:
self.assertEqual(results.get(build.uuid, ''),
build.parameters['vars']['zuul'].get('tags'))
build.parameters['zuul'].get('tags'))
def test_timer(self):
"Test that a periodic job is triggered"

@ -253,10 +253,12 @@ class ExecutorClient(object):
params['nodes'] = nodes
params['groups'] = [group.toDict() for group in nodeset.getGroups()]
params['vars'] = copy.deepcopy(job.variables)
params['secrets'] = {}
if job.auth:
for secret in job.auth.secrets:
params['vars'][secret.name] = copy.deepcopy(secret.secret_data)
params['vars']['zuul'] = zuul_params
secret_data = copy.deepcopy(secret.secret_data)
params['secrets'][secret.name] = secret_data
params['zuul'] = zuul_params
projects = set()
def make_project_dict(project, override_branch=None):

@ -215,6 +215,8 @@ class JobDir(object):
pass
self.known_hosts = os.path.join(ssh_dir, 'known_hosts')
self.inventory = os.path.join(self.ansible_root, 'inventory.yaml')
self.secrets = os.path.join(self.ansible_root, 'secrets.yaml')
self.has_secrets = False
self.playbooks = [] # The list of candidate playbooks
self.playbook = None # A pointer to the candidate we have chosen
self.pre_playbooks = []
@ -767,7 +769,7 @@ class AnsibleJob(object):
def _execute(self):
args = json.loads(self.job.arguments)
self.log.debug("Beginning job %s for ref %s" %
(self.job.name, args['vars']['zuul']['ref']))
(self.job.name, args['zuul']['ref']))
self.log.debug("Args: %s" % (self.job.arguments,))
self.log.debug("Job root: %s" % (self.jobdir.root,))
tasks = []
@ -1171,9 +1173,12 @@ class AnsibleJob(object):
jobdir_playbook.roles_path.append(role_path)
def prepareAnsibleFiles(self, args):
all_vars = dict(args['vars'])
all_vars = args['vars'].copy()
# TODO(mordred) Hack to work around running things with python3
all_vars['ansible_python_interpreter'] = '/usr/bin/python2'
if 'zuul' in all_vars:
raise Exception("Defining vars named 'zuul' is not allowed")
all_vars['zuul'] = args['zuul'].copy()
all_vars['zuul']['executor'] = dict(
hostname=self.executor_server.hostname,
src_root=self.jobdir.src_root,
@ -1192,6 +1197,15 @@ class AnsibleJob(object):
for key in node['host_keys']:
known_hosts.write('%s\n' % key)
secrets = args['secrets'].copy()
if secrets:
if 'zuul' in secrets:
raise Exception("Defining secrets named 'zuul' is not allowed")
with open(self.jobdir.secrets, 'w') as secrets_yaml:
secrets_yaml.write(
yaml.safe_dump(secrets, default_flow_style=False))
self.jobdir.has_secrets = True
def writeAnsibleConfig(self, jobdir_playbook):
trusted = jobdir_playbook.trusted
@ -1372,6 +1386,8 @@ class AnsibleJob(object):
verbose = '-v'
cmd = ['ansible-playbook', verbose, playbook.path]
if self.jobdir.has_secrets:
cmd.extend(['-e', '@' + self.jobdir.secrets])
if success is not None:
cmd.extend(['-e', 'success=%s' % str(bool(success))])

Loading…
Cancel
Save