diff options
| -rw-r--r-- | .gitlab-ci.yml | 26 | ||||
| -rw-r--r-- | provider_base/services/webapp.json | 1 | ||||
| -rw-r--r-- | puppet/modules/site_apt/manifests/leap_repo.pp | 8 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/manifests/init.pp | 1 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/templates/config.yml.erb | 1 | ||||
| -rwxr-xr-x | tests/platform-ci/ci-build.sh | 98 |
6 files changed, 106 insertions, 29 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5654238e..6da735d4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -60,18 +60,38 @@ deploy_test: except: - master script: - - su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner + - su -c '/usr/bin/unbuffer bash -o pipefail ./ci-build.sh | /usr/bin/ts' cirunner # Latest job will only run on the master branch, which means all merge requests # that are created from branches don't get to deploy to the latest-ci server. # When a merge request is merged, then the latest job will deploy the code to # the latest provider, and the deployment will be recorded in an environment # named 'latest' -latest: +ci.leap.se: stage: deploy environment: name: staging only: - - master + - master@leap/platform + script: + - su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner + +demo.bitmask.net: + stage: deploy + environment: + name: production/demo/vpn + only: + - master + when: manual + script: + - su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner + +mail.bitmask.net: + stage: deploy + environment: + name: production/demo/mail + only: + - master + when: manual script: - su -c '/usr/bin/unbuffer ./ci-build.sh' cirunner diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 064d5b1a..ede3bf66 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -23,6 +23,7 @@ "invite_required": "= provider.enrollment_policy == 'invite'", "default_service_level": "= provider.service.default_service_level", "service_levels": "= service_levels()", + "secret_key_base": "= secret :webapp_secret_key_base", "secret_token": "= secret :webapp_secret_token", "api_version": 1, "secure": false, diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 3d95d8b6..7c6c49c5 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,8 +4,14 @@ class site_apt::leap_repo { $platform = hiera_hash('platform') $major_version = $platform['major_version'] + if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { + $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg' + } else { + $archive_key = '/usr/share/keyrings/leap-archive.gpg' + } + apt::sources_list { 'leap.list': - content => "deb ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", + content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", before => Exec[refresh_apt] } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1ae80012..deb8e8c8 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,6 +10,7 @@ class site_webapp { $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') $api_version = $webapp['api_version'] + $secret_key_base = $webapp['secret_key_base'] $secret_token = $webapp['secret_token'] $tor = hiera('tor', false) $sources = hiera('sources') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index dd55d3e9..1a802f4c 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -8,6 +8,7 @@ production = { "force_ssl" => @webapp['secure'], "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')], "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')], + "secret_key_base" => @secret_key_base, "secret_token" => @secret_token, "client_cert_lifespan" => cert_options['life_span'], "client_cert_bit_size" => cert_options['bit_size'].to_i, diff --git a/tests/platform-ci/ci-build.sh b/tests/platform-ci/ci-build.sh index b39f6874..34876a73 100755 --- a/tests/platform-ci/ci-build.sh +++ b/tests/platform-ci/ci-build.sh @@ -22,11 +22,16 @@ set -e # so exit codes will be caught correctly. set -o pipefail -# we wrap the whole script in curly braces so we can pipe it all through ts to -# get timestamps. If we put it outside of the script, then we can't get proper -# pipefail results. +# Check if scipt is run in debug mode so we can hide secrets +if [[ "$-" =~ 'x' ]] +then + echo 'Running with xtrace enabled!' + xtrace=true +else + echo 'Running with xtrace disabled!' + xtrace=false +fi -{ # leap_platform/tests/platform-ci # shellcheck disable=SC2086 ROOTDIR=$(readlink -f "$(dirname $0)") @@ -34,9 +39,20 @@ ROOTDIR=$(readlink -f "$(dirname $0)") # leap_platform PLATFORMDIR=$(readlink -f "${ROOTDIR}/../..") -LEAP_CMD() { - /usr/local/bin/bundle exec leap -v2 --yes "$@" -} +# In the gitlab CI pipeline leap is installed in a different +# stage by bundle. To debug you can run a single CI job locally +# so we install leap_cli as gem here. +if /usr/local/bin/bundle exec leap >/dev/null 2>&1 +then + LEAP_CMD() { + /usr/local/bin/bundle exec leap -v2 --yes "$@" + } +else + sudo gem install leap_cli + LEAP_CMD() { + leap -v2 --yes "$@" + } +fi deploy() { LEAP_CMD deploy "$TAG" @@ -54,22 +70,56 @@ build_from_scratch() { # Create cloud.json needed for `leap vm` commands using AWS credentials which jq || ( apt-get update -y && apt-get install jq -y ) + + # Dsiable xtrace + set +x /usr/bin/jq ".platform_ci.auth |= .+ {\"aws_access_key_id\":\"$AWS_ACCESS_KEY\", \"aws_secret_access_key\":\"$AWS_SECRET_KEY\"}" < cloud.json.template > cloud.json + # Enable xtrace again only if it was set at beginning of script + [[ $xtrace == true ]] && set -x [ -d "./tags" ] || mkdir "./tags" /bin/echo "{\"environment\": \"$TAG\"}" | /usr/bin/json_pp > "${PROVIDERDIR}/tags/${TAG}.json" pwd + +# remove old cached nodes + echo "Removing old cached nodes..." + find nodes -name 'citest*' -exec rm {} \; + + echo "Listing current VM status..." LEAP_CMD vm status "$TAG" # shellcheck disable=SC2086 - LEAP_CMD vm add "$NAME" services:"$SERVICES" tags:"$TAG" $SEEDS + echo "Adding VM $NAME with the services: $SERVICES and the tags: $TAG" + LEAP_CMD vm add "$NAME" services:"$SERVICES" tags:"$TAG" + echo "Compiling $TAG..." LEAP_CMD compile "$TAG" + echo "Listing current VM status for TAG: $TAG..." LEAP_CMD vm status "$TAG" + echo "Running leap list..." + LEAP_CMD list + + echo "Running leap node init on TAG: $TAG" LEAP_CMD node init "$TAG" + echo "Running leap info on $TAG" LEAP_CMD info "${TAG}" } +run() { + echo "Cloning $1 repo: $2" + git clone -q --depth 1 "$2" + cd "$1" + git rev-parse HEAD + echo -n "Operating in the $1 directory: " + pwd + echo "Listing current node information..." + LEAP_CMD list + echo "Attempting a deploy..." + deploy + echo "Attempting to run tests..." + test +} + # # Main # @@ -86,33 +136,32 @@ set +x /bin/chmod 600 ~/.ssh/id_rsa /bin/cp "${ROOTDIR}/provider/users/gitlab-runner/gitlab-runner_ssh.pub" ~/.ssh/id_rsa.pub +# Enable xtrace again only if it was set at beginning of script +[[ $xtrace == true ]] && set -x + case "$CI_ENVIRONMENT_NAME" in - latest) + staging) TAG='latest' - echo "Cloning ibex provider..." - git clone -q --depth 1 ssh://gitolite@leap.se/ibex - cd ibex - git rev-parse HEAD - echo -n "Operating in the ibex directory: " - pwd - echo "Listing current node information..." - LEAP_CMD list - echo "Attempting a deploy..." - deploy - echo "Attempting to run tests..." - test + run ibex ssh://gitolite@leap.se/ibex + ;; + production/demo/mail) + TAG='demomail' + run bitmask ssh://gitolite@leap.se/bitmask + ;; + production/demo/vpn) + TAG='demovpn' + run bitmask ssh://gitolite@leap.se/bitmask ;; *) # create node(s) with unique id so we can run tests in parallel - NAME="citest${CI_BUILD_ID}" + NAME="citest${CI_BUILD_ID:-0}" # when using gitlab-runner locally, CI_BUILD_ID is always 1 which # will conflict with running/terminating AWS instances in subsequent runs # therefore we pick a random number in this case - [ "$CI_BUILD_ID" -eq "1" ] && NAME+="000${RANDOM}" + [ "${CI_BUILD_ID:-0}" -eq "1" ] && NAME+="000${RANDOM}" TAG='single' SERVICES='couchdb,soledad,mx,webapp,tor,monitor' - SEEDS='' build_from_scratch # Deploy and test deploy @@ -122,4 +171,3 @@ case "$CI_ENVIRONMENT_NAME" in [ -f "nodes/${NAME}.json" ] && /bin/rm "nodes/${NAME}.json" ;; esac -} | /usr/bin/ts -s |