Skip to content

C
configuration
Commit 35c31a2b by John Jarvis
Options

writing out private key directly in the vars file

parent 92e99eb7
Showing with 25 additions and 26 deletions
playbooks/roles/certs/defaults/main.yml
...@@ -28,7 +28,7 @@ CERTS_KEY_ID: "FEF8D954" ...@@ -28,7 +28,7 @@ CERTS_KEY_ID: "FEF8D954"
# Path to git identity file for pull access to # Path to git identity file for pull access to
# the edX certificates repo - REQUIRED # the edX certificates repo - REQUIRED
# Example - {{ secure_dir }}/files/git-identity # Example - {{ secure_dir }}/files/git-identity
CERTS_LOCAL_GIT_IDENTITY: !!null CERTS_GIT_IDENTITY: !!null
# Path to public and private gpg key for signing # Path to public and private gpg key for signing
# the edX certificate. Default is a dummy key # the edX certificate. Default is a dummy key
CERTS_LOCAL_PRIVATE_KEY: "example-private-key.txt" CERTS_LOCAL_PRIVATE_KEY: "example-private-key.txt"
...@@ -42,7 +42,7 @@ certs_venvs_dir: "{{ certs_app_dir }}/venvs" ...@@ -42,7 +42,7 @@ certs_venvs_dir: "{{ certs_app_dir }}/venvs"
certs_venv_dir: "{{ certs_venvs_dir }}/certs" certs_venv_dir: "{{ certs_venvs_dir }}/certs"
certs_venv_bin: "{{ certs_venv_dir }}/bin" certs_venv_bin: "{{ certs_venv_dir }}/bin"
certs_git_ssh: /tmp/git_ssh.sh certs_git_ssh: /tmp/git_ssh.sh
certs_git_identity: "{{ certs_app_dir }}/git-identity" certs_git_identity: "{{ certs_app_dir }}/certs-git-identity"
certs_requirements_file: "{{ certs_code_dir }}/requirements.txt" certs_requirements_file: "{{ certs_code_dir }}/requirements.txt"
certs_repo: "git@github.com:/edx/certificates" certs_repo: "git@github.com:/edx/certificates"
certs_version: 'master' certs_version: 'master'
......
playbooks/roles/certs/tasks/deploy.yml
...@@ -26,15 +26,11 @@ ...@@ -26,15 +26,11 @@
owner={{ certs_user }} mode=750 owner={{ certs_user }} mode=750
notify: restart certs notify: restart certs
- stat: path={{ CERTS_LOCAL_GIT_IDENTITY }}
register: certs_identity
- name: install read-only ssh key for the certs repo - name: install read-only ssh key for the certs repo
copy: > copy: >
src={{ CERTS_LOCAL_GIT_IDENTITY }} dest={{ certs_git_identity }} content={{ CERTS_GIT_IDENTITY }} dest={{ certs_git_identity }}
force=yes owner={{ certs_user }} mode=0600 force=yes owner={{ certs_user }} mode=0600
notify: restart certs notify: restart certs
when: certs_identity.stat.exists
- name: checkout certificates repo into {{ certs_code_dir }} - name: checkout certificates repo into {{ certs_code_dir }}
git: dest={{ certs_code_dir }} repo={{ certs_repo }} version={{ certs_version }} git: dest={{ certs_code_dir }} repo={{ certs_repo }} version={{ certs_version }}
...@@ -42,12 +38,10 @@ ...@@ -42,12 +38,10 @@
environment: environment:
GIT_SSH: "{{ certs_git_ssh }}" GIT_SSH: "{{ certs_git_ssh }}"
notify: restart certs notify: restart certs
when: certs_identity.stat.exists
- name: remove read-only ssh key for the certs repo - name: remove read-only ssh key for the certs repo
file: path={{ certs_git_identity }} state=absent file: path={{ certs_git_identity }} state=absent
notify: restart certs notify: restart certs
when: certs_identity.stat.exists
- name : install python requirements - name : install python requirements
pip: requirements="{{ certs_requirements_file }}" virtualenv="{{ certs_venv_dir }}" state=present pip: requirements="{{ certs_requirements_file }}" virtualenv="{{ certs_venv_dir }}" state=present
......
playbooks/roles/certs/tasks/main.yml
...@@ -32,8 +32,8 @@ ...@@ -32,8 +32,8 @@
# - certs # - certs
# #
- name: Checking to see if git identity is set - name: Checking to see if git identity is set
fail: msg="You must set CERTS_LOCAL_GIT_IDENTITY var for this role!" fail: msg="You must set CERTS_GIT_IDENTITY var for this role!"
when: not CERTS_LOCAL_GIT_IDENTITY when: not CERTS_GIT_IDENTITY
- name: create application user - name: create application user
user: > user: >
......
playbooks/roles/edxapp/defaults/main.yml
...@@ -147,8 +147,9 @@ EDXAPP_AUTOMATOR_SUDO_CMDS: ...@@ -147,8 +147,9 @@ EDXAPP_AUTOMATOR_SUDO_CMDS:
- "ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms transfer_students *" - "ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms transfer_students *"
EDXAPP_USE_GIT_IDENTITY: false EDXAPP_USE_GIT_IDENTITY: false
# Example: "{{ secure_dir }}/files/git-identity" # Paste the contents of the git identity
EDXAPP_LOCAL_GIT_IDENTITY: !!null # into this var
EDXAPP_GIT_IDENTITY: !!null
# Configuration for database migration # Configuration for database migration
EDXAPP_TEST_MIGRATE_DB_NAME: "{{ COMMON_ENVIRONMENT }}_{{ COMMON_DEPLOYMENT }}_test_{{ EDXAPP_MYSQL_DB_NAME }}" EDXAPP_TEST_MIGRATE_DB_NAME: "{{ COMMON_ENVIRONMENT }}_{{ COMMON_DEPLOYMENT }}_test_{{ EDXAPP_MYSQL_DB_NAME }}"
...@@ -178,7 +179,7 @@ edxapp_staticfile_dir: "{{ edxapp_data_dir }}/staticfiles" ...@@ -178,7 +179,7 @@ edxapp_staticfile_dir: "{{ edxapp_data_dir }}/staticfiles"
edxapp_course_data_dir: "{{ edxapp_data_dir }}/data" edxapp_course_data_dir: "{{ edxapp_data_dir }}/data"
edxapp_upload_dir: "{{ edxapp_data_dir }}/uploads" edxapp_upload_dir: "{{ edxapp_data_dir }}/uploads"
edxapp_theme_dir: "{{ edxapp_data_dir }}/themes" edxapp_theme_dir: "{{ edxapp_data_dir }}/themes"
edxapp_git_identity: "{{ edxapp_app_dir }}/{{ EDXAPP_LOCAL_GIT_IDENTITY|basename }}" edxapp_git_identity: "{{ edxapp_app_dir }}/edxapp-git-identity"
edxapp_git_ssh: "/tmp/edxapp_git_ssh.sh" edxapp_git_ssh: "/tmp/edxapp_git_ssh.sh"
edxapp_pypi_local_mirror: "http://localhost:{{ devpi_port }}/root/pypi/+simple" edxapp_pypi_local_mirror: "http://localhost:{{ devpi_port }}/root/pypi/+simple"
edxapp_workers: edxapp_workers:
......
playbooks/roles/edxapp/tasks/deploy.yml
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
- name: install read-only ssh key - name: install read-only ssh key
copy: > copy: >
src={{ EDXAPP_LOCAL_GIT_IDENTITY }} dest={{ edxapp_git_identity }} content={{ EDXAPP_GIT_IDENTITY }} dest={{ edxapp_git_identity }}
force=yes owner={{ edxapp_user }} mode=0600 force=yes owner={{ edxapp_user }} mode=0600
when: EDXAPP_USE_GIT_IDENTITY when: EDXAPP_USE_GIT_IDENTITY
......
playbooks/roles/xserver/tasks/main.yml
...@@ -8,8 +8,8 @@ ...@@ -8,8 +8,8 @@
when: not XSERVER_GRADER_DIR or not XSERVER_GRADER_SOURCE when: not XSERVER_GRADER_DIR or not XSERVER_GRADER_SOURCE
- name: checking for git identity - name: checking for git identity
fail: msg="You must define XSERVER_LOCAL_GIT_IDENTITY to use this role" fail: msg="You must define XSERVER_GIT_IDENTITY to use this role"
when: not XSERVER_LOCAL_GIT_IDENTITY when: not XSERVER_GIT_IDENTITY
- name: create application user - name: create application user
user: > user: >
......
util/vpc-tools/abbey.py
...@@ -200,11 +200,9 @@ def parse_args(): ...@@ -200,11 +200,9 @@ def parse_args():
def get_instance_sec_group(vpc_id): def get_instance_sec_group(vpc_id):
security_group_id = None
grp_details = ec2.get_all_security_groups( grp_details = ec2.get_all_security_groups(
filters={ filters={
'vpc_id':vpc_id, 'vpc_id': vpc_id,
'tag:play': args.play 'tag:play': args.play
} }
) )
...@@ -242,10 +240,14 @@ def create_instance_args(): ...@@ -242,10 +240,14 @@ def create_instance_args():
if args.identity: if args.identity:
config_secure = 'true' config_secure = 'true'
with open(args.identity) as f: with open(args.identity) as f:
identity_file = f.read() identity_contents = f.read()
else: else:
config_secure = 'false' config_secure = 'false'
identity_file = "dummy" identity_contents = "dummy"
# indent identity file with 4 spaces for
# yaml
identity_contents_indent = "\n".join((" ") + line for line in identity_contents.splitlines())
user_data = """#!/bin/bash user_data = """#!/bin/bash
set -x set -x
...@@ -311,7 +313,7 @@ chmod 755 $git_ssh ...@@ -311,7 +313,7 @@ chmod 755 $git_ssh
if $config_secure; then if $config_secure; then
cat << EOF > $secure_identity cat << EOF > $secure_identity
{identity_file} {identity_contents}
EOF EOF
fi fi
...@@ -331,7 +333,8 @@ cat << EOF >> $extra_vars ...@@ -331,7 +333,8 @@ cat << EOF >> $extra_vars
# EDXAPP_USE_GIT_IDENTITY needs to be set # EDXAPP_USE_GIT_IDENTITY needs to be set
# to true in the extra vars for this # to true in the extra vars for this
# variable to be used. # variable to be used.
EDXAPP_LOCAL_GIT_IDENTITY: $secure_identity EDXAPP_GIT_IDENTITY: |
{identity_contents_indent}
# abbey will always run fake migrations # abbey will always run fake migrations
# this is so that the application can come # this is so that the application can come
...@@ -377,7 +380,8 @@ rm -rf $base_dir ...@@ -377,7 +380,8 @@ rm -rf $base_dir
deployment=args.deployment, deployment=args.deployment,
play=args.play, play=args.play,
config_secure=config_secure, config_secure=config_secure,
identity_file=identity_file, identity_contents_indent=identity_contents_indent,
identity_contents=identity_contents,
queue_name=run_id, queue_name=run_id,
extra_vars_yml=extra_vars_yml, extra_vars_yml=extra_vars_yml,
git_refs_yml=git_refs_yml, git_refs_yml=git_refs_yml,
...@@ -543,7 +547,7 @@ def create_ami(instance_id, name, description): ...@@ -543,7 +547,7 @@ def create_ami(instance_id, name, description):
time.sleep(AWS_API_WAIT_TIME) time.sleep(AWS_API_WAIT_TIME)
img.add_tag("build_id", args.jenkins_build) img.add_tag("build_id", args.jenkins_build)
time.sleep(AWS_API_WAIT_TIME) time.sleep(AWS_API_WAIT_TIME)
for repo,ref in git_refs.items(): for repo, ref in git_refs.items():
key = "vars:{}".format(repo) key = "vars:{}".format(repo)
img.add_tag(key, ref) img.add_tag(key, ref)
time.sleep(AWS_API_WAIT_TIME) time.sleep(AWS_API_WAIT_TIME)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment