summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitlab-ci.yml26
-rw-r--r--provider_base/services/webapp.json1
-rw-r--r--puppet/modules/site_apt/manifests/leap_repo.pp8
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp1
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb1
-rwxr-xr-xtests/platform-ci/ci-build.sh98
6 files changed, 106 insertions, 29 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5654238e..6da735d4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -60,18 +60,38 @@ deploy_test:
except:
- master
script:
- - su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner
+ - su -c '/usr/bin/unbuffer bash -o pipefail ./ci-build.sh | /usr/bin/ts' cirunner
# Latest job will only run on the master branch, which means all merge requests
# that are created from branches don't get to deploy to the latest-ci server.
# When a merge request is merged, then the latest job will deploy the code to
# the latest provider, and the deployment will be recorded in an environment
# named 'latest'
-latest:
+ci.leap.se:
stage: deploy
environment:
name: staging
only:
- - master
+ - master@leap/platform
+ script:
+ - su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner
+
+demo.bitmask.net:
+ stage: deploy
+ environment:
+ name: production/demo/vpn
+ only:
+ - master
+ when: manual
+ script:
+ - su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner
+
+mail.bitmask.net:
+ stage: deploy
+ environment:
+ name: production/demo/mail
+ only:
+ - master
+ when: manual
script:
- su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 064d5b1a..ede3bf66 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -23,6 +23,7 @@
"invite_required": "= provider.enrollment_policy == 'invite'",
"default_service_level": "= provider.service.default_service_level",
"service_levels": "= service_levels()",
+ "secret_key_base": "= secret :webapp_secret_key_base",
"secret_token": "= secret :webapp_secret_token",
"api_version": 1,
"secure": false,
diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp
index 3d95d8b6..7c6c49c5 100644
--- a/puppet/modules/site_apt/manifests/leap_repo.pp
+++ b/puppet/modules/site_apt/manifests/leap_repo.pp
@@ -4,8 +4,14 @@ class site_apt::leap_repo {
$platform = hiera_hash('platform')
$major_version = $platform['major_version']
+ if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ {
+ $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg'
+ } else {
+ $archive_key = '/usr/share/keyrings/leap-archive.gpg'
+ }
+
apt::sources_list { 'leap.list':
- content => "deb ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n",
+ content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n",
before => Exec[refresh_apt]
}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 1ae80012..deb8e8c8 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -10,6 +10,7 @@ class site_webapp {
$provider_domain = $node_domain['full_suffix']
$webapp = hiera('webapp')
$api_version = $webapp['api_version']
+ $secret_key_base = $webapp['secret_key_base']
$secret_token = $webapp['secret_token']
$tor = hiera('tor', false)
$sources = hiera('sources')
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index dd55d3e9..1a802f4c 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -8,6 +8,7 @@ production = {
"force_ssl" => @webapp['secure'],
"client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')],
"client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')],
+ "secret_key_base" => @secret_key_base,
"secret_token" => @secret_token,
"client_cert_lifespan" => cert_options['life_span'],
"client_cert_bit_size" => cert_options['bit_size'].to_i,
diff --git a/tests/platform-ci/ci-build.sh b/tests/platform-ci/ci-build.sh
index b39f6874..34876a73 100755
--- a/tests/platform-ci/ci-build.sh
+++ b/tests/platform-ci/ci-build.sh
@@ -22,11 +22,16 @@ set -e
# so exit codes will be caught correctly.
set -o pipefail
-# we wrap the whole script in curly braces so we can pipe it all through ts to
-# get timestamps. If we put it outside of the script, then we can't get proper
-# pipefail results.
+# Check if scipt is run in debug mode so we can hide secrets
+if [[ "$-" =~ 'x' ]]
+then
+ echo 'Running with xtrace enabled!'
+ xtrace=true
+else
+ echo 'Running with xtrace disabled!'
+ xtrace=false
+fi
-{
# leap_platform/tests/platform-ci
# shellcheck disable=SC2086
ROOTDIR=$(readlink -f "$(dirname $0)")
@@ -34,9 +39,20 @@ ROOTDIR=$(readlink -f "$(dirname $0)")
# leap_platform
PLATFORMDIR=$(readlink -f "${ROOTDIR}/../..")
-LEAP_CMD() {
- /usr/local/bin/bundle exec leap -v2 --yes "$@"
-}
+# In the gitlab CI pipeline leap is installed in a different
+# stage by bundle. To debug you can run a single CI job locally
+# so we install leap_cli as gem here.
+if /usr/local/bin/bundle exec leap >/dev/null 2>&1
+then
+ LEAP_CMD() {
+ /usr/local/bin/bundle exec leap -v2 --yes "$@"
+ }
+else
+ sudo gem install leap_cli
+ LEAP_CMD() {
+ leap -v2 --yes "$@"
+ }
+fi
deploy() {
LEAP_CMD deploy "$TAG"
@@ -54,22 +70,56 @@ build_from_scratch() {
# Create cloud.json needed for `leap vm` commands using AWS credentials
which jq || ( apt-get update -y && apt-get install jq -y )
+
+ # Dsiable xtrace
+ set +x
/usr/bin/jq ".platform_ci.auth |= .+ {\"aws_access_key_id\":\"$AWS_ACCESS_KEY\", \"aws_secret_access_key\":\"$AWS_SECRET_KEY\"}" < cloud.json.template > cloud.json
+ # Enable xtrace again only if it was set at beginning of script
+ [[ $xtrace == true ]] && set -x
[ -d "./tags" ] || mkdir "./tags"
/bin/echo "{\"environment\": \"$TAG\"}" | /usr/bin/json_pp > "${PROVIDERDIR}/tags/${TAG}.json"
pwd
+
+# remove old cached nodes
+ echo "Removing old cached nodes..."
+ find nodes -name 'citest*' -exec rm {} \;
+
+ echo "Listing current VM status..."
LEAP_CMD vm status "$TAG"
# shellcheck disable=SC2086
- LEAP_CMD vm add "$NAME" services:"$SERVICES" tags:"$TAG" $SEEDS
+ echo "Adding VM $NAME with the services: $SERVICES and the tags: $TAG"
+ LEAP_CMD vm add "$NAME" services:"$SERVICES" tags:"$TAG"
+ echo "Compiling $TAG..."
LEAP_CMD compile "$TAG"
+ echo "Listing current VM status for TAG: $TAG..."
LEAP_CMD vm status "$TAG"
+ echo "Running leap list..."
+ LEAP_CMD list
+
+ echo "Running leap node init on TAG: $TAG"
LEAP_CMD node init "$TAG"
+ echo "Running leap info on $TAG"
LEAP_CMD info "${TAG}"
}
+run() {
+ echo "Cloning $1 repo: $2"
+ git clone -q --depth 1 "$2"
+ cd "$1"
+ git rev-parse HEAD
+ echo -n "Operating in the $1 directory: "
+ pwd
+ echo "Listing current node information..."
+ LEAP_CMD list
+ echo "Attempting a deploy..."
+ deploy
+ echo "Attempting to run tests..."
+ test
+}
+
#
# Main
#
@@ -86,33 +136,32 @@ set +x
/bin/chmod 600 ~/.ssh/id_rsa
/bin/cp "${ROOTDIR}/provider/users/gitlab-runner/gitlab-runner_ssh.pub" ~/.ssh/id_rsa.pub
+# Enable xtrace again only if it was set at beginning of script
+[[ $xtrace == true ]] && set -x
+
case "$CI_ENVIRONMENT_NAME" in
- latest)
+ staging)
TAG='latest'
- echo "Cloning ibex provider..."
- git clone -q --depth 1 ssh://gitolite@leap.se/ibex
- cd ibex
- git rev-parse HEAD
- echo -n "Operating in the ibex directory: "
- pwd
- echo "Listing current node information..."
- LEAP_CMD list
- echo "Attempting a deploy..."
- deploy
- echo "Attempting to run tests..."
- test
+ run ibex ssh://gitolite@leap.se/ibex
+ ;;
+ production/demo/mail)
+ TAG='demomail'
+ run bitmask ssh://gitolite@leap.se/bitmask
+ ;;
+ production/demo/vpn)
+ TAG='demovpn'
+ run bitmask ssh://gitolite@leap.se/bitmask
;;
*)
# create node(s) with unique id so we can run tests in parallel
- NAME="citest${CI_BUILD_ID}"
+ NAME="citest${CI_BUILD_ID:-0}"
# when using gitlab-runner locally, CI_BUILD_ID is always 1 which
# will conflict with running/terminating AWS instances in subsequent runs
# therefore we pick a random number in this case
- [ "$CI_BUILD_ID" -eq "1" ] && NAME+="000${RANDOM}"
+ [ "${CI_BUILD_ID:-0}" -eq "1" ] && NAME+="000${RANDOM}"
TAG='single'
SERVICES='couchdb,soledad,mx,webapp,tor,monitor'
- SEEDS=''
build_from_scratch
# Deploy and test
deploy
@@ -122,4 +171,3 @@ case "$CI_ENVIRONMENT_NAME" in
[ -f "nodes/${NAME}.json" ] && /bin/rm "nodes/${NAME}.json"
;;
esac
-} | /usr/bin/ts -s