opendev/system-config
Code Issues Proposed changes

Write github app key to a file on disk

Browse Source 
The app_key config entry for zuul actually wants a path to a file, not
the key content itself. Write it to disk and update the config.

Do the file writing in site.pp and not puppet-zuul because it's an
arbitrary filename/content. A zuul user could have zero or many github
connections, and the connection data is stored in a hash in hiera, so
there's not a super great way to add key writing support to puppet-zuul
itself at the moment. It's also a single file.

Change-Id: I43f93f59b9a82186a60734810a277edeac67bbac
This commit is contained in:
Monty Taylor 2017-07-28 03:20:41 -05:00
parent 3fb95e67a6
commit 1accc7121c
No known key found for this signature in database
GPG Key ID: 7BAE94BC7141A594
3 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/source/github.rst
View File

@ -72,8 +72,10 @@ entry in ``zuul_connection_secrets`` for the ``zuulv3.openstack.org`` FQDN.
The Private key can only be retrieved when it is generated, so in the case it
is lost a new one must be generated and the resulting value put into hiera.
The Private key is placed into the ``app_key`` field in the ``github``
entry in ``zuul_connection_secrets`` for the ``zuulv3.openstack.org`` FQDN.
The Private key content is stored as ``zuul_github_app_key`` in private hiera
and is written to ``/etc/zuul/github.key``. That path is placed into
``app_key`` field in the ``github`` entry in ``zuul_connections`` for the
``zuulv3.openstack.org`` FQDN.
GitHub sends JSON payloads via HTTP POST to the URL configured in the Webhook
URL setting. The current value of this setting for Zuul v3 is:

1
hiera/fqdn/zuulv3.openstack.org.yaml
View File

@ -19,6 +19,7 @@ zuul_connections:
- name: 'github'
driver: 'github'
app_key: '/etc/zuul/github.key'
gearman_server_ssl_cert: |
-----BEGIN CERTIFICATE-----

9
manifests/site.pp
View File

@ -1218,6 +1218,15 @@ node 'zuulv3.openstack.org' {
gearman_ssl_ca => hiera('gearman_ssl_ca'),
}
file { "/etc/zuul/github.key":
ensure => present,
owner => 'zuul',
group => 'zuul',
mode => '0600',
content => hiera('zuul_github_app_key'),
require => File['/etc/zuul'],
}
class { '::zuul::scheduler':
layout_dir => $::project_config::zuul_layout_dir,
require => $::project_config::config_dir,