zuul/zuul-jobs
Code Issues Proposed changes
zuul-jobs/zuul-tests.d/container-roles-jobs.yaml
Clark Boylan 4c40b92950 Prevent leaks of buildset registry credentials 
Because buildset registries may be used by jobs that finish before other
jobs are finished using the buildset registry we must be careful not to
expose the registry credentials in the jobs that finish sooner.
Otherwise logs for the earlier job runs could potentially be used to
poison the registry for later jobs.

This is likely currently incomplete. Other Zuulians should look over it
carefully to ensure we're covering all the bases here.

The cases I've identified so far are:

* Setting facts that include passwords
* Reading and writing to files that include passwords (as content may be
  logged)
* Calling modules with passwords passed as arguments (the module
  invocation is logged)

I've also set no_log on zuul_return that passes up credentials because
while the logging for zuul_return is minimal today, I don't want to
count on it remaining that way.

We also use the yet to be merged secret_data attribute on zuul_return to
ensure that zuul_return itself does not expose anything unwanted.

Finally it would be great if others could check over the use of
buildset_registry variables to make sure there aren't any that got
missed. One thing I'm not sure of is whether or not when conditionals
get logged and if we need to be careful about their use too.

Temporarily remove some buildset-regitry jobs which are in a catch-22.

Change-Id: I2dea683e27f00b99a7766bf830981bf91b925265
2021-06-24 09:56:19 -07:00

393 lines
13 KiB
YAML
Raw Blame History

- job:
name: zuul-jobs-test-ensure-docker
description: Tests ensure-docker role
abstract: true
files:
- .*ensure-docker.*
- roles/ensure-package-repositories/.*
- test-requirements.txt
run: test-playbooks/ensure-docker.yaml
- job:
name: zuul-jobs-test-ensure-docker-centos-7
description: Tests ensure-docker role on centos-7
parent: zuul-jobs-test-ensure-docker
nodeset:
nodes:
- name: centos-7
label: centos-7
- job:
name: zuul-jobs-test-ensure-docker-centos-8
description: Tests ensure-docker role on centos-8
parent: zuul-jobs-test-ensure-docker
nodeset:
nodes:
- name: centos-8
label: centos-8
- job:
name: zuul-jobs-test-ensure-docker-debian-stretch
description: Tests ensure-docker role on debian-stretch
parent: zuul-jobs-test-ensure-docker
nodeset:
nodes:
- name: debian-stretch
label: debian-stretch
- job:
name: zuul-jobs-test-ensure-docker-ubuntu-bionic
description: Tests ensure-docker role on ubuntu-bionic
parent: zuul-jobs-test-ensure-docker
nodeset:
nodes:
- name: ubuntu-bionic
label: ubuntu-bionic
- job:
name: zuul-jobs-test-ensure-docker-ubuntu-xenial
description: Tests ensure-docker role on ubuntu-xenial
parent: zuul-jobs-test-ensure-docker
nodeset:
nodes:
- name: ubuntu-xenial
label: ubuntu-xenial
- job:
name: zuul-jobs-test-build-container-image-release
description: |
Test building a container image in a release pipeline.
This job tests changes to the build-container-image role,
simulating its use within a tag-based release pipeline. It is
not meant to be used directly but rather run on changes to roles
in the zuul-jobs repo.
files:
- roles/ensure-podman/.*
- roles/ensure-package-repositories/.*
- roles/build-container-image/.*
- roles/upload-container-image/.*
- test-playbooks/container/.*
pre-run: test-playbooks/container/test-build-container-image-release-pre.yaml
run: test-playbooks/container/test-build-container-image-release.yaml
vars:
container_command: podman
multiarch: false
nodeset:
nodes:
- name: builder
label: ubuntu-bionic
- job:
name: zuul-jobs-test-build-docker-image-release
description: |
Test building a docker image in a release pipeline.
This job tests changes to the build-docker-image role,
simulating its use within a tag-based release pipeline. It is
not meant to be used directly but rather run on changes to roles
in the zuul-jobs repo.
files:
- roles/ensure-docker/.*
- roles/ensure-package-repositories/.*
- roles/build-docker-image/.*
- roles/upload-docker-image/.*
- test-playbooks/container/.*
pre-run: test-playbooks/container/test-build-container-image-release-pre.yaml
run: test-playbooks/container/test-build-container-image-release.yaml
vars:
container_command: docker
multiarch: false
nodeset:
nodes:
- name: builder
label: ubuntu-bionic
- job:
name: zuul-jobs-test-build-docker-image-release-multiarch
parent: zuul-jobs-test-build-docker-image-release
description: |
Test building a docker image in a release pipeline.
This job tests changes to the build-docker-image role using buildx,
simulating its use within a tag-based release pipeline. It is
not meant to be used directly but rather run on changes to roles
in the zuul-jobs repo.
vars:
multiarch: true
- job:
name: zuul-jobs-test-registry-docker
description: |
Test the intermediate registry roles.
This job tests changes to the intermediate registry roles. It
is not meant to be used directly but rather run on changes to
roles in the zuul-jobs repo.
files:
- roles/pull-from-intermediate-registry/.*
- roles/push-to-intermediate-registry/.*
- roles/ensure-docker/.*
- roles/ensure-package-repositories/.*
- roles/build-docker-image/.*
- roles/run-buildset-registry/.*
- roles/use-buildset-registry/.*
- test-playbooks/registry/.*
pre-run: test-playbooks/registry/test-registry-pre.yaml
run: test-playbooks/registry/test-registry.yaml
post-run: test-playbooks/registry/test-registry-post.yaml
vars:
container_command: docker
multiarch: false
nodeset:
nodes:
- name: intermediate-registry
label: ubuntu-bionic
- name: executor
label: ubuntu-bionic
- name: builder
label: ubuntu-bionic
- job:
name: zuul-jobs-test-registry-docker-multiarch
description: |
Test the intermediate registry roles with multiarch.
This job tests changes to the intermediate registry roles. It
is not meant to be used directly but rather run on changes to
roles in the zuul-jobs repo.
files:
- roles/pull-from-intermediate-registry/.*
- roles/push-to-intermediate-registry/.*
- roles/ensure-docker/.*
- roles/build-docker-image/.*
- roles/run-buildset-registry/.*
- roles/use-buildset-registry/.*
- test-playbooks/registry/.*
pre-run: test-playbooks/registry/test-registry-pre.yaml
run: test-playbooks/registry/test-registry.yaml
post-run: test-playbooks/registry/test-registry-post.yaml
vars:
container_command: docker
multiarch: true
nodeset:
nodes:
- name: intermediate-registry
label: ubuntu-bionic
- name: executor
label: ubuntu-bionic
- name: builder
label: ubuntu-bionic
- job:
name: zuul-jobs-test-registry-podman
description: |
Test the intermediate registry roles.
This job tests changes to the intermediate registry roles using
podman rather than docker. It is not meant to be used directly
but rather run on changes to roles in the zuul-jobs repo.
files:
- roles/pull-from-intermediate-registry/.*
- roles/push-to-intermediate-registry/.*
- roles/ensure-podman/.*
- roles/ensure-package-repositories/.*
- roles/build-container-image/.*
- roles/run-buildset-registry/.*
- roles/use-buildset-registry/.*
- test-playbooks/registry/.*
pre-run: test-playbooks/registry/test-registry-pre.yaml
run: test-playbooks/registry/test-registry.yaml
post-run: test-playbooks/registry/test-registry-post.yaml
vars:
container_command: podman
multiarch: false
nodeset:
nodes:
- name: intermediate-registry
label: ubuntu-bionic
- name: executor
label: ubuntu-bionic
- name: builder
label: ubuntu-bionic
- job:
name: zuul-jobs-test-ensure-kubernetes-docker
description: |
Test the ensure-kubernetes role with docker
This job tests changes to the ensure-kubernetes roles. It
is not meant to be used directly but rather run on changes to
roles in the zuul-jobs repo.
files:
- roles/ensure-docker/.*
- roles/ensure-kubernetes/.*
- roles/ensure-package-repositories/.*
- test-playbooks/ensure-kubernetes/.*
run: test-playbooks/ensure-kubernetes/docker.yaml
post-run: test-playbooks/ensure-kubernetes/post.yaml
- job:
name: zuul-jobs-test-ensure-kubernetes-crio
description: |
Test the ensure-kubernetes role with crio-o
This job tests changes to the ensure-kubernetes roles. It
is not meant to be used directly but rather run on changes to
roles in the zuul-jobs repo.
files:
- roles/ensure-docker/.*
- roles/ensure-kubernetes/.*
- roles/ensure-package-repositories/.*
- test-playbooks/ensure-kubernetes/.*
run: test-playbooks/ensure-kubernetes/crio.yaml
post-run: test-playbooks/ensure-kubernetes/post.yaml
- job:
name: zuul-jobs-test-ensure-podman
description: |
Test the ensure-podman role
This job tests the ensure-podman role. It is not meant to be
used directly but rather run on changes to roles in the
zuul-jobs repo.
abstract: true
files:
- roles/ensure-podman/.*
- roles/ensure-package-repositories/.*
- test-playbooks/ensure-podman/.*
run: test-playbooks/ensure-podman/main.yaml
- job:
name: zuul-jobs-test-ensure-skopeo
description: |
Test the ensure-skopeo role
This job tests the ensure-skopeo role. It is not meant to be
used directly but rather run on changes to roles in the
zuul-jobs repo.
abstract: true
files:
- roles/ensure-skopeo/.*
- roles/ensure-package-repositories/.*
- test-playbooks/ensure-skopeo/.*
run: test-playbooks/ensure-skopeo/main.yaml
- job:
name: zuul-jobs-test-ensure-podman-centos-8
description: Tests ensure-podman role on centos-8
parent: zuul-jobs-test-ensure-podman
nodeset:
nodes:
- name: centos-8
label: centos-8
- job:
name: zuul-jobs-test-ensure-podman-fedora-34
description: Tests ensure-podman role on fedora-34
parent: zuul-jobs-test-ensure-podman
# Until non-root podman issues are sorted; see
# https://github.com/containers/podman/issues/10717
voting: false
nodeset:
nodes:
- name: fedora-34
label: fedora-34
- job:
name: zuul-jobs-test-ensure-podman-ubuntu-bionic
description: Tests ensure-podman role on ubuntu-bionic
parent: zuul-jobs-test-ensure-podman
nodeset:
nodes:
- name: ubuntu-bionic
label: ubuntu-bionic
- job:
name: zuul-jobs-test-ensure-skopeo-centos-8
description: Tests ensure-skopeo role on centos-8
parent: zuul-jobs-test-ensure-skopeo
nodeset:
nodes:
- name: centos-8
label: centos-8
- job:
name: zuul-jobs-test-ensure-skopeo-fedora-34
description: Tests ensure-skopeo role on fedora-34
parent: zuul-jobs-test-ensure-skopeo
nodeset:
nodes:
- name: fedora-34
label: fedora-34
- job:
name: zuul-jobs-test-ensure-skopeo-ubuntu-bionic
description: Tests ensure-skopeo role on ubuntu-bionic
parent: zuul-jobs-test-ensure-skopeo
nodeset:
nodes:
- name: ubuntu-bionic
label: ubuntu-bionic
- job:
name: zuul-jobs-test-ensure-skopeo-ubuntu-focal
description: Tests ensure-skopeo role on ubuntu-focal
parent: zuul-jobs-test-ensure-skopeo
nodeset:
nodes:
- name: ubuntu-focal
label: ubuntu-focal
# -* AUTOGENERATED *-
# The following project section is autogenerated by
# tox -e update-test-platforms
# Please re-run to generate new job lists
- project:
check:
jobs:
- zuul-jobs-test-ensure-docker-centos-7
- zuul-jobs-test-ensure-docker-centos-8
- zuul-jobs-test-ensure-docker-debian-stretch
- zuul-jobs-test-ensure-docker-ubuntu-bionic
- zuul-jobs-test-ensure-docker-ubuntu-xenial
- zuul-jobs-test-build-container-image-release
- zuul-jobs-test-build-docker-image-release
- zuul-jobs-test-build-docker-image-release-multiarch
- zuul-jobs-test-registry-docker
- zuul-jobs-test-registry-docker-multiarch
- zuul-jobs-test-registry-podman
- zuul-jobs-test-ensure-kubernetes-docker
- zuul-jobs-test-ensure-kubernetes-crio
- zuul-jobs-test-ensure-podman-centos-8
- zuul-jobs-test-ensure-podman-fedora-34
- zuul-jobs-test-ensure-podman-ubuntu-bionic
- zuul-jobs-test-ensure-skopeo-centos-8
- zuul-jobs-test-ensure-skopeo-fedora-34
- zuul-jobs-test-ensure-skopeo-ubuntu-bionic
- zuul-jobs-test-ensure-skopeo-ubuntu-focal
gate:
jobs: &id001
- zuul-jobs-test-ensure-docker-centos-7
- zuul-jobs-test-ensure-docker-centos-8
- zuul-jobs-test-ensure-docker-debian-stretch
- zuul-jobs-test-ensure-docker-ubuntu-bionic
- zuul-jobs-test-ensure-docker-ubuntu-xenial
- zuul-jobs-test-build-container-image-release
- zuul-jobs-test-build-docker-image-release
- zuul-jobs-test-build-docker-image-release-multiarch
- zuul-jobs-test-registry-docker
- zuul-jobs-test-registry-docker-multiarch
- zuul-jobs-test-registry-podman
- zuul-jobs-test-ensure-kubernetes-docker
- zuul-jobs-test-ensure-kubernetes-crio
- zuul-jobs-test-ensure-podman-centos-8
- zuul-jobs-test-ensure-podman-ubuntu-bionic
- zuul-jobs-test-ensure-skopeo-centos-8
- zuul-jobs-test-ensure-skopeo-fedora-34
- zuul-jobs-test-ensure-skopeo-ubuntu-bionic
- zuul-jobs-test-ensure-skopeo-ubuntu-focal
periodic-weekly:
jobs: *id001
View Git Blame Copy Permalink