From 1accc7121c1132fc2602aa738924925c3a4e8983 Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Fri, 28 Jul 2017 03:20:41 -0500
Subject: [PATCH] Write github app key to a file on disk

The app_key config entry for zuul actually wants a path to a file, not
the key content itself. Write it to disk and update the config.

Do the file writing in site.pp and not puppet-zuul because it's an
arbitrary filename/content. A zuul user could have zero or many github
connections, and the connection data is stored in a hash in hiera, so
there's not a super great way to add key writing support to puppet-zuul
itself at the moment. It's also a single file.

Change-Id: I43f93f59b9a82186a60734810a277edeac67bbac
---
 doc/source/github.rst                | 6 ++++--
 hiera/fqdn/zuulv3.openstack.org.yaml | 1 +
 manifests/site.pp                    | 9 +++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/doc/source/github.rst b/doc/source/github.rst
index adb652bcbb..dabb7b8f4f 100644
--- a/doc/source/github.rst
+++ b/doc/source/github.rst
@@ -72,8 +72,10 @@ entry in ``zuul_connection_secrets`` for the ``zuulv3.openstack.org`` FQDN.
 
 The Private key can only be retrieved when it is generated, so in the case it
 is lost a new one must be generated and the resulting value put into hiera.
-The Private key is placed into the ``app_key`` field in the ``github``
-entry in ``zuul_connection_secrets`` for the ``zuulv3.openstack.org`` FQDN.
+The Private key content is stored as ``zuul_github_app_key`` in private hiera
+and is written to ``/etc/zuul/github.key``. That path is placed into
+``app_key`` field in the ``github`` entry in ``zuul_connections`` for the
+``zuulv3.openstack.org`` FQDN.
 
 GitHub sends JSON payloads via HTTP POST to the URL configured in the Webhook
 URL setting. The current value of this setting for Zuul v3 is:
diff --git a/hiera/fqdn/zuulv3.openstack.org.yaml b/hiera/fqdn/zuulv3.openstack.org.yaml
index c053a67404..e4e16aee11 100644
--- a/hiera/fqdn/zuulv3.openstack.org.yaml
+++ b/hiera/fqdn/zuulv3.openstack.org.yaml
@@ -19,6 +19,7 @@ zuul_connections:
 
   - name: 'github'
     driver: 'github'
+    app_key: '/etc/zuul/github.key'
 
 gearman_server_ssl_cert: |
   -----BEGIN CERTIFICATE-----
diff --git a/manifests/site.pp b/manifests/site.pp
index 2c8e35cf5c..7dea17e107 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1218,6 +1218,15 @@ node 'zuulv3.openstack.org' {
     gearman_ssl_ca          => hiera('gearman_ssl_ca'),
   }
 
+  file { "/etc/zuul/github.key":
+    ensure  => present,
+    owner   => 'zuul',
+    group   => 'zuul',
+    mode    => '0600',
+    content => hiera('zuul_github_app_key'),
+    require => File['/etc/zuul'],
+  }
+
   class { '::zuul::scheduler':
     layout_dir     => $::project_config::zuul_layout_dir,
     require        => $::project_config::config_dir,