ReleaseEngineering/PuppetAgain/Modules/slave secrets

From MozillaWiki
Jump to: navigation, search

This module manages secret data on slaves.

Google API Key

This class optionally (if $config::install_google_api_key) adds a google API key in `/builds/gapi.data`, containing secret("google_api_key").

SSH Keys

SSH keys are a little more complicated. First, slaves have a trustlevel, which is set as a node-scope variable $slave_trustlevel. This should be "core" in general, or "try" for hosts which build or run untrusted code. The intention is to separate slaves that are trusted to have important secrets and create real builds from those which might easily be compromised.

Second, you'll need to provide a "keyset", which is the list of keys to be installed on the slave, by adding a clause for your organization to `modules/slave_secrets/manifests/ssh_keys.pp`. The keysets are a map from key name (the filename in ~/.ssh) to secret name. This can be as simple as

           $prod_try_keyset = {
               'somekey' => 'builder_ssh_key_some',
               'anotherkey' => 'builder_ssh_key_another',
           }

or as complex as you'd like. Moco's is pretty complex!

Note that the slave type -- build or test -- is passed as an argument to the class. It may be helpful to distinguish SSH keys on that basis.

See Secrets for help creating secrets.