launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #19882
[Merge] lp:~blr/canonical-mojo-specs/rutabaga-set-build-label-predeploy into lp:~canonical-launchpad-branches/canonical-mojo-specs/trunk
Kit Randel has proposed merging lp:~blr/canonical-mojo-specs/rutabaga-set-build-label-predeploy into lp:~canonical-launchpad-branches/canonical-mojo-specs/trunk.
Commit message:
* Set build_label on predeploy.
* Use 'snap-proxy' in site_name rather than the less meaningful project name.
* Restrict http to blog.launchpad.net to GET.
* Set casesensitive and credentialsttl keys for qastaging squid-fp deploy.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~blr/canonical-mojo-specs/rutabaga-set-build-label-predeploy/+merge/282538
--
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~blr/canonical-mojo-specs/rutabaga-set-build-label-predeploy into lp:~canonical-launchpad-branches/canonical-mojo-specs/trunk.
=== modified file 'lp/mojo-lp-snap-proxy/devel/deploy'
--- lp/mojo-lp-snap-proxy/devel/deploy 2015-12-10 07:53:03 +0000
+++ lp/mojo-lp-snap-proxy/devel/deploy 2016-01-14 21:25:11 +0000
@@ -11,7 +11,7 @@
to: squid-forwardproxy
options:
nagios_context: lp-devel-snap-proxy
- site_name: rutabaga.launchpad.dev
+ site_name: snap-proxy.launchpad.dev
rutabaga-gunicorn:
charm: gunicorn
squid-forwardproxy:
=== modified file 'lp/mojo-lp-snap-proxy/predeploy'
--- lp/mojo-lp-snap-proxy/predeploy 2015-12-09 02:25:48 +0000
+++ lp/mojo-lp-snap-proxy/predeploy 2016-01-14 21:25:11 +0000
@@ -4,37 +4,41 @@
TOP="${0%/*}"
create_admin_api_secret () {
+ local secret="$1"
+
+ [ ! -e "$secret" ] || return 0
+
+ # The admin API secret should normally remain constant across
+ # deployments, but when we need to rotate it, we just need to remove it
+ # from ${MOJO_LOCAL_DIR}/admin-api-secret and redeploy.
python -c '
import random
import string
+import sys
-print("".join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32)))
-'
+rnd = random.SystemRandom()
+with open(sys.argv[1], "wb") as f:
+ f.write("".join(
+ rnd.choice(string.ascii_uppercase + string.digits) for _ in range(32)))
+' "$secret"
}
-case "${MOJO_STAGE##*/}" in
- devel)
- ADMIN_API_SECRET=$(create_admin_api_secret)
- CONTAINER_NAME="${MOJO_DOWNLOADER_CONTAINER_NAME:-${MOJO_PROJECT}-builds}"
- STORAGE_URL="$(${TOP}/utils/get-swift-storage-url)"
- echo "Setting BUILD_LABEL..."
- COMBINED_BUILD_LABEL="$(
- ATTEMPTED_OR_SUCCESSFUL=updatedfrom \
- MOJO_DOWNLOADER_ANONYMOUS=1 \
- ${TOP}/utils/get-last-build-label)"
- RUTABAGA_BUILD_LABEL="$(
- echo "$COMBINED_BUILD_LABEL" | sed -n 's/^rutabaga=//p')"
- cat >"${MOJO_LOCAL_DIR}/deploy-secrets" <<EOF
-rutabaga:
- services:
- rutabaga:
- options:
- build_label: ${RUTABAGA_BUILD_LABEL}
- swift_container_name: ${CONTAINER_NAME}
- swift_storage_url: ${STORAGE_URL}
- admin_api_secret: ${ADMIN_API_SECRET}
-EOF
- ;;
-esac
+create_admin_api_secret "${MOJO_LOCAL_DIR}/admin-api-secret"
+
+ADMIN_API_SECRET="$(cat "${MOJO_LOCAL_DIR}/admin-api-secret")"
+CONTAINER_NAME="${MOJO_DOWNLOADER_CONTAINER_NAME:-${MOJO_PROJECT}-builds}"
+STORAGE_URL="$(${TOP}/utils/get-swift-storage-url)"
+COMBINED_BUILD_LABEL="$(
+ ATTEMPTED_OR_SUCCESSFUL=updatedfrom \
+ MOJO_DOWNLOADER_ANONYMOUS=1 \
+ ${TOP}/utils/get-last-build-label)"
+RUTABAGA_BUILD_LABEL="$(
+ echo "$COMBINED_BUILD_LABEL" | sed -n 's/^rutabaga=//p')"
+
+${TOP}/utils/set-local-config rutabaga rutabaga \
+ build_label="${RUTABAGA_BUILD_LABEL}" \
+ swift_container_name="${CONTAINER_NAME}" \
+ swift_storage_url="${STORAGE_URL}" \
+ admin_api_secret="${ADMIN_API_SECRET}"
exit 0
=== modified file 'lp/mojo-lp-snap-proxy/qastaging/deploy'
--- lp/mojo-lp-snap-proxy/qastaging/deploy 2015-12-08 10:36:19 +0000
+++ lp/mojo-lp-snap-proxy/qastaging/deploy 2016-01-14 21:25:11 +0000
@@ -14,7 +14,7 @@
options:
log_hosts_allow: carob.canonical.com
nagios_context: lp-stagingstack-snap-proxy
- site_name: rutabaga.qastaging.paddev.net
+ site_name: snap-proxy.qastaging.paddev.net
rutabaga-gunicorn:
charm: gunicorn
squid-forwardproxy:
@@ -31,6 +31,14 @@
{"!port": [80, 443], http_access: deny},
# Whitelist HTTP methods
{"!method": [GET, POST, CONNECT], http_access: deny},
+ {port: [80], method: [GET],
+ src: [127.0.0.1/8],
+ # DSTDOMAIN IS FORBIDDEN.
+ dst: [
+ # blog.launchpad.net, a benign host for nagios checks.
+ 91.189.94.159, 162.213.33.232,
+ ],
+ http_access: allow},
# Only allow authenticated requests
{"!proxy_auth": ["REQUIRED"]},
# Whitelist localhost and Buildds.
@@ -43,13 +51,6 @@
# URLs containing IP addresses, Squid will look up
# the PTR and match it against dstdomain rules!
# This is obviously completely holey.
- {port: [80, 443], method: [GET, POST, CONNECT],
- # DSTDOMAIN IS FORBIDDEN.
- dst: [
- # blog.launchpad.net, a benign host for nagios checks.
- 91.189.94.159, 162.213.33.232,
- ],
- http_access: allow},
# Forbid internal networks since a lot of systems
# assume that our entire PI space is trustworthy.
# Problematic for webhooks to internal services,
@@ -94,7 +95,9 @@
http_access: allow},
]
auth_params: |
- [{"scheme": "basic", "program": "/srv/rutabaga/code/rutabaga/scripts/rutabaga_auth_helper.py"}]
+ [{"scheme": "basic", "program": "/srv/rutabaga/code/rutabaga/scripts/rutabaga_auth_helper.py"},
+ {"scheme": "basic", "credentialsttl": "1 minute"},
+ {"scheme": "basic", "casesensitive": "on"}]
relations:
- ["rutabaga", ["rutabaga-gunicorn", "squid-forwardproxy"]]
- ["nrpe", "squid-forwardproxy"]
=== added file 'lp/utils/set-local-config'
--- lp/utils/set-local-config 1970-01-01 00:00:00 +0000
+++ lp/utils/set-local-config 2016-01-14 21:25:11 +0000
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+import os.path
+import sys
+
+import yaml
+
+
+stack = sys.argv[1]
+service = sys.argv[2]
+
+stage = os.environ['MOJO_STAGE']
+
+local_config_path = os.path.join(
+ '/srv', 'mojo', 'LOCAL', os.environ['MOJO_PROJECT'],
+ stage, 'deploy-secrets')
+
+print("Updating local config at {}".format(local_config_path))
+
+if os.path.exists(local_config_path):
+ with open(local_config_path) as config_file:
+ config = yaml.safe_load(config_file)
+else:
+ config = {}
+config.setdefault(stack, {}).setdefault('services', {}).setdefault(
+ service, {}).setdefault('options', {})
+for option in sys.argv[3:]:
+ key, value = option.split('=', 1)
+ config[stack]['services'][service]['options'][key] = value
+with open(local_config_path, 'w') as config_file:
+ yaml.dump(config, config_file, indent=4, default_flow_style=False)
Follow ups
