Write secrets into their own file, not into inventory
Publishing the inventory as part of publishing logs would be handy in debugging that everything is as one expects. However, secrets currently go into the inventory, which means publishing it is not safe. Write the secrets to their own file. Also, Return errors if users try to define zuul vars or secrets. To support that, we need to pass zuul vars as a top-level param, not inside of vars already. Change-Id: If58b89882a817ff219ed5f8faf2bde31cc8e1a6a
This commit is contained in:
parent
e4dc8771e5
commit
d13bc36c52
|
@ -1308,7 +1308,7 @@ class RecordingExecutorServer(zuul.executor.server.ExecutorServer):
|
||||||
self.running_builds.append(build)
|
self.running_builds.append(build)
|
||||||
self.job_builds[job.unique] = build
|
self.job_builds[job.unique] = build
|
||||||
args = json.loads(job.arguments)
|
args = json.loads(job.arguments)
|
||||||
args['vars']['zuul']['_test'] = dict(test_root=self._test_root)
|
args['zuul']['_test'] = dict(test_root=self._test_root)
|
||||||
job.arguments = json.dumps(args)
|
job.arguments = json.dumps(args)
|
||||||
self.job_workers[job.unique] = RecordingAnsibleJob(self, job)
|
self.job_workers[job.unique] = RecordingAnsibleJob(self, job)
|
||||||
self.job_workers[job.unique].run()
|
self.job_workers[job.unique].run()
|
||||||
|
|
|
@ -46,7 +46,7 @@ class TestGithubDriver(ZuulTestCase):
|
||||||
self.getJobFromHistory('project-test2').result)
|
self.getJobFromHistory('project-test2').result)
|
||||||
|
|
||||||
job = self.getJobFromHistory('project-test2')
|
job = self.getJobFromHistory('project-test2')
|
||||||
zuulvars = job.parameters['vars']['zuul']
|
zuulvars = job.parameters['zuul']
|
||||||
self.assertEqual(A.number, zuulvars['change'])
|
self.assertEqual(A.number, zuulvars['change'])
|
||||||
self.assertEqual(A.head_sha, zuulvars['patchset'])
|
self.assertEqual(A.head_sha, zuulvars['patchset'])
|
||||||
self.assertEqual(1, len(A.comments))
|
self.assertEqual(1, len(A.comments))
|
||||||
|
|
|
@ -2757,7 +2757,7 @@ class TestScheduler(ZuulTestCase):
|
||||||
|
|
||||||
for build in self.history:
|
for build in self.history:
|
||||||
self.assertEqual(results.get(build.uuid, ''),
|
self.assertEqual(results.get(build.uuid, ''),
|
||||||
build.parameters['vars']['zuul'].get('tags'))
|
build.parameters['zuul'].get('tags'))
|
||||||
|
|
||||||
def test_timer(self):
|
def test_timer(self):
|
||||||
"Test that a periodic job is triggered"
|
"Test that a periodic job is triggered"
|
||||||
|
|
|
@ -253,10 +253,12 @@ class ExecutorClient(object):
|
||||||
params['nodes'] = nodes
|
params['nodes'] = nodes
|
||||||
params['groups'] = [group.toDict() for group in nodeset.getGroups()]
|
params['groups'] = [group.toDict() for group in nodeset.getGroups()]
|
||||||
params['vars'] = copy.deepcopy(job.variables)
|
params['vars'] = copy.deepcopy(job.variables)
|
||||||
|
params['secrets'] = {}
|
||||||
if job.auth:
|
if job.auth:
|
||||||
for secret in job.auth.secrets:
|
for secret in job.auth.secrets:
|
||||||
params['vars'][secret.name] = copy.deepcopy(secret.secret_data)
|
secret_data = copy.deepcopy(secret.secret_data)
|
||||||
params['vars']['zuul'] = zuul_params
|
params['secrets'][secret.name] = secret_data
|
||||||
|
params['zuul'] = zuul_params
|
||||||
projects = set()
|
projects = set()
|
||||||
|
|
||||||
def make_project_dict(project, override_branch=None):
|
def make_project_dict(project, override_branch=None):
|
||||||
|
|
|
@ -215,6 +215,8 @@ class JobDir(object):
|
||||||
pass
|
pass
|
||||||
self.known_hosts = os.path.join(ssh_dir, 'known_hosts')
|
self.known_hosts = os.path.join(ssh_dir, 'known_hosts')
|
||||||
self.inventory = os.path.join(self.ansible_root, 'inventory.yaml')
|
self.inventory = os.path.join(self.ansible_root, 'inventory.yaml')
|
||||||
|
self.secrets = os.path.join(self.ansible_root, 'secrets.yaml')
|
||||||
|
self.has_secrets = False
|
||||||
self.playbooks = [] # The list of candidate playbooks
|
self.playbooks = [] # The list of candidate playbooks
|
||||||
self.playbook = None # A pointer to the candidate we have chosen
|
self.playbook = None # A pointer to the candidate we have chosen
|
||||||
self.pre_playbooks = []
|
self.pre_playbooks = []
|
||||||
|
@ -767,7 +769,7 @@ class AnsibleJob(object):
|
||||||
def _execute(self):
|
def _execute(self):
|
||||||
args = json.loads(self.job.arguments)
|
args = json.loads(self.job.arguments)
|
||||||
self.log.debug("Beginning job %s for ref %s" %
|
self.log.debug("Beginning job %s for ref %s" %
|
||||||
(self.job.name, args['vars']['zuul']['ref']))
|
(self.job.name, args['zuul']['ref']))
|
||||||
self.log.debug("Args: %s" % (self.job.arguments,))
|
self.log.debug("Args: %s" % (self.job.arguments,))
|
||||||
self.log.debug("Job root: %s" % (self.jobdir.root,))
|
self.log.debug("Job root: %s" % (self.jobdir.root,))
|
||||||
tasks = []
|
tasks = []
|
||||||
|
@ -1171,9 +1173,12 @@ class AnsibleJob(object):
|
||||||
jobdir_playbook.roles_path.append(role_path)
|
jobdir_playbook.roles_path.append(role_path)
|
||||||
|
|
||||||
def prepareAnsibleFiles(self, args):
|
def prepareAnsibleFiles(self, args):
|
||||||
all_vars = dict(args['vars'])
|
all_vars = args['vars'].copy()
|
||||||
# TODO(mordred) Hack to work around running things with python3
|
# TODO(mordred) Hack to work around running things with python3
|
||||||
all_vars['ansible_python_interpreter'] = '/usr/bin/python2'
|
all_vars['ansible_python_interpreter'] = '/usr/bin/python2'
|
||||||
|
if 'zuul' in all_vars:
|
||||||
|
raise Exception("Defining vars named 'zuul' is not allowed")
|
||||||
|
all_vars['zuul'] = args['zuul'].copy()
|
||||||
all_vars['zuul']['executor'] = dict(
|
all_vars['zuul']['executor'] = dict(
|
||||||
hostname=self.executor_server.hostname,
|
hostname=self.executor_server.hostname,
|
||||||
src_root=self.jobdir.src_root,
|
src_root=self.jobdir.src_root,
|
||||||
|
@ -1192,6 +1197,15 @@ class AnsibleJob(object):
|
||||||
for key in node['host_keys']:
|
for key in node['host_keys']:
|
||||||
known_hosts.write('%s\n' % key)
|
known_hosts.write('%s\n' % key)
|
||||||
|
|
||||||
|
secrets = args['secrets'].copy()
|
||||||
|
if secrets:
|
||||||
|
if 'zuul' in secrets:
|
||||||
|
raise Exception("Defining secrets named 'zuul' is not allowed")
|
||||||
|
with open(self.jobdir.secrets, 'w') as secrets_yaml:
|
||||||
|
secrets_yaml.write(
|
||||||
|
yaml.safe_dump(secrets, default_flow_style=False))
|
||||||
|
self.jobdir.has_secrets = True
|
||||||
|
|
||||||
def writeAnsibleConfig(self, jobdir_playbook):
|
def writeAnsibleConfig(self, jobdir_playbook):
|
||||||
trusted = jobdir_playbook.trusted
|
trusted = jobdir_playbook.trusted
|
||||||
|
|
||||||
|
@ -1372,6 +1386,8 @@ class AnsibleJob(object):
|
||||||
verbose = '-v'
|
verbose = '-v'
|
||||||
|
|
||||||
cmd = ['ansible-playbook', verbose, playbook.path]
|
cmd = ['ansible-playbook', verbose, playbook.path]
|
||||||
|
if self.jobdir.has_secrets:
|
||||||
|
cmd.extend(['-e', '@' + self.jobdir.secrets])
|
||||||
|
|
||||||
if success is not None:
|
if success is not None:
|
||||||
cmd.extend(['-e', 'success=%s' % str(bool(success))])
|
cmd.extend(['-e', 'success=%s' % str(bool(success))])
|
||||||
|
|
Loading…
Reference in New Issue