Merge branch 'stable-3.1'
* stable-3.1:
Make secrets generation idempotent
Allow passing secrets prefix as an argument
Do not update all packages on CentOS
Do not install replication keys if setup not needed
Add logic to control replication setup
Use generic container.javaHome value
Add SSH keys to AWS Secret Manager
Change-Id: I7eaa95aabb27e0a0e1181e5ebe72c54167fc8196
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
index 5d27f6c..a20c8b0 100644
--- a/gerrit/Dockerfile
+++ b/gerrit/Dockerfile
@@ -2,8 +2,7 @@
USER root
-RUN yum update -y \
- && yum install -y python36 python3-libs python36-devel python3-pip
+RUN yum install -y python36 python3-libs python36-devel python3-pip
COPY --chown=gerrit:gerrit ssh-config /var/gerrit/.ssh/config
diff --git a/gerrit/add_secrets_aws_secrets_manager.sh b/gerrit/add_secrets_aws_secrets_manager.sh
index c5b7a00..c76b9de 100755
--- a/gerrit/add_secrets_aws_secrets_manager.sh
+++ b/gerrit/add_secrets_aws_secrets_manager.sh
@@ -9,7 +9,23 @@
# Avoid to open output in less for each AWS command
export AWS_PAGER=;
-KEY_PREFIX=gerrit_secret
+KEY_PREFIX=${2:-gerrit_secret}
+
+function set-secret-string {
+ SECRET_ID=$1
+
+ if aws secretsmanager describe-secret --secret-id ${KEY_PREFIX}_${SECRET_ID} > /dev/null 2>&1
+ then
+ echo "Updating secret ${KEY_PREFIX}_${SECRET_ID} ..."
+ aws secretsmanager put-secret-value --secret-id ${KEY_PREFIX}_${SECRET_ID} \
+ --secret-string file://$SECRETS_DIRECTORY/${SECRET_ID}
+ else
+ echo "Creating secret ${KEY_PREFIX}_${SECRET_ID} ..."
+ aws secretsmanager create-secret --name ${KEY_PREFIX}_${SECRET_ID} \
+ --description "Gerrit ${SECRET_ID}" \
+ --secret-string file://$SECRETS_DIRECTORY/${SECRET_ID}
+ fi
+}
echo "Adding SSH Keys..."
@@ -28,35 +44,20 @@
for key_name in "${keys[@]}"
do
- echo aws secretsmanager create-secret --name ${KEY_PREFIX}_${key_name} \
- --description "Gerrit ${key_name}" \
- --secret-string file://$SECRETS_DIRECTORY/${key_name}
+ set-secret-string ${key_name}
done
if [ -f "$SECRETS_DIRECTORY/replication_user_id_rsa.pub" ]; then
echo "Adding Replication SSH Keys..."
- aws secretsmanager create-secret --name ${KEY_PREFIX}_replication_user_id_rsa.pub \
- --description "Gerrit replication_user_id_rsa.pub" \
- --secret-string file://$SECRETS_DIRECTORY/replication_user_id_rsa.pub
- aws secretsmanager create-secret --name ${KEY_PREFIX}_replication_user_id_rsa \
- --description "Gerrit replication_user_id_rsa" \
- --secret-string file://$SECRETS_DIRECTORY/replication_user_id_rsa
+ set-secret-string replication_user_id_rsa.pub
+ set-secret-string replication_user_id_rsa
fi
echo "Adding Register Email Private Key..."
-
-aws secretsmanager create-secret --name ${KEY_PREFIX}_registerEmailPrivateKey \
- --description "Gerrit Register Email Private Key" \
- --secret-string file://$SECRETS_DIRECTORY/registerEmailPrivateKey
+set-secret-string registerEmailPrivateKey
echo "Adding LDAP password..."
-
-aws secretsmanager create-secret --name ${KEY_PREFIX}_ldapPassword \
- --description "LDAP password" \
- --secret-string file://$SECRETS_DIRECTORY/ldapPassword
+set-secret-string ldapPassword
echo "Adding SMTP password..."
-
-aws secretsmanager create-secret --name ${KEY_PREFIX}_smtpPassword \
- --description "SMTP password" \
- --secret-string file://$SECRETS_DIRECTORY/smtpPassword
+set-secret-string smtpPassword
diff --git a/gerrit/setup_gerrit.py b/gerrit/setup_gerrit.py
index 294567a..c48d02f 100755
--- a/gerrit/setup_gerrit.py
+++ b/gerrit/setup_gerrit.py
@@ -7,6 +7,7 @@
from botocore.exceptions import ClientError
from jinja2 import Environment, FileSystemLoader
+setupReplication = (os.getenv('SETUP_REPLICATION') == 'true')
def get_secret(secret_name):
# Create a Secrets Manager client
@@ -76,7 +77,7 @@
"ssh_host_rsa_key.pub"
]
-GERRIT_KEY_PREFIX = "gerrit_secret_"
+GERRIT_KEY_PREFIX = os.getenv("GERRIT_KEY_PREFIX", "gerrit_secret")
GERRIT_CONFIG_DIRECTORY = "/var/gerrit/etc/"
print("Installing SSH Keys from Secret Manager in directory: " +
@@ -84,21 +85,22 @@
for secretId in secretIds:
print("* Installing SSH Key: " + secretId)
with open(GERRIT_CONFIG_DIRECTORY + secretId, 'w', encoding='utf-8') as f:
- f.write(get_secret(GERRIT_KEY_PREFIX + secretId))
+ f.write(get_secret(GERRIT_KEY_PREFIX + "_" + secretId))
-GERRIT_SSH_DIRECTORY = "/var/gerrit/.ssh"
-GERRIT_REPLICATION_SSH_KEYS = GERRIT_SSH_DIRECTORY + "/id_rsa"
+if setupReplication:
+ GERRIT_SSH_DIRECTORY = "/var/gerrit/.ssh"
+ GERRIT_REPLICATION_SSH_KEYS = GERRIT_SSH_DIRECTORY + "/id_rsa"
-print("Installing Replication SSH Keys from Secret Manager in: " +
- GERRIT_REPLICATION_SSH_KEYS)
+ print("Installing Replication SSH Keys from Secret Manager in: " +
+ GERRIT_REPLICATION_SSH_KEYS)
-if not os.path.exists(GERRIT_SSH_DIRECTORY):
- os.mkdir(GERRIT_SSH_DIRECTORY)
- os.chmod(GERRIT_SSH_DIRECTORY, 0o700)
+ if not os.path.exists(GERRIT_SSH_DIRECTORY):
+ os.mkdir(GERRIT_SSH_DIRECTORY)
+ os.chmod(GERRIT_SSH_DIRECTORY, 0o700)
-with open(GERRIT_REPLICATION_SSH_KEYS, 'w', encoding='utf-8') as f:
- f.write(get_secret(GERRIT_KEY_PREFIX + 'replication_user_id_rsa'))
-os.chmod(GERRIT_REPLICATION_SSH_KEYS, 0o400)
+ with open(GERRIT_REPLICATION_SSH_KEYS, 'w', encoding='utf-8') as f:
+ f.write(get_secret(GERRIT_KEY_PREFIX + 'replication_user_id_rsa'))
+ os.chmod(GERRIT_REPLICATION_SSH_KEYS, 0o400)
file_loader = FileSystemLoader(GERRIT_CONFIG_DIRECTORY)
env = Environment(loader=file_loader)
@@ -110,9 +112,9 @@
encoding='utf-8') as f:
f.write(template.render(
REGISTER_EMAIL_PRIVATE_KEY=get_secret(
- GERRIT_KEY_PREFIX + "registerEmailPrivateKey"),
- LDAP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "ldapPassword"),
- SMTP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "smtpPassword"))
+ GERRIT_KEY_PREFIX + "_registerEmailPrivateKey"),
+ LDAP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "_ldapPassword"),
+ SMTP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "_smtpPassword"))
)
BASE_CONFIG_DIR = "/tmp"
@@ -124,7 +126,7 @@
config_for_template = {}
try:
# If we don't need the monitoring stack we can avoid to set this token
- prometheus_bearer_token = get_secret(GERRIT_KEY_PREFIX + "prometheus_bearer_token")
+ prometheus_bearer_token = get_secret(GERRIT_KEY_PREFIX + "_prometheus_bearer_token")
config_for_template['PROMETHEUS_BEARER_TOKEN'] = prometheus_bearer_token
except ClientError as e:
if e.response['Error']['Code'] == 'ResourceNotFoundException':
@@ -145,8 +147,8 @@
})
f.write(template.render(config_for_template))
-containerSlave = os.getenv('CONTAINER_SLAVE')
-if (not containerSlave):
+containerSlave = (os.getenv('CONTAINER_SLAVE') == 'true')
+if ((not containerSlave) and setupReplication):
print("Setting Replication config in '" +
GERRIT_CONFIG_DIRECTORY + "replication.config'")
config.read(BASE_CONFIG_DIR + '/replication.setup')
diff --git a/master-slave/Makefile b/master-slave/Makefile
index aa87fc3..ee5ec6f 100644
--- a/master-slave/Makefile
+++ b/master-slave/Makefile
@@ -38,7 +38,8 @@
ParameterKey=Subdomain,ParameterValue=$(MASTER_SUBDOMAIN) \
ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI) \
ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN) \
- ParameterKey=SlaveServiceStackName,ParameterValue=$(SERVICE_SLAVE_STACK_NAME)
+ ParameterKey=SlaveServiceStackName,ParameterValue=$(SERVICE_SLAVE_STACK_NAME) \
+ ParameterKey=GerritKeyPrefix,ParameterValue=$(GERRIT_KEY_PREFIX)
service-slave:
$(AWS_FC_COMMAND) create-stack \
@@ -51,7 +52,8 @@
ParameterKey=HostedZoneName,ParameterValue=$(HOSTED_ZONE_NAME) \
ParameterKey=Subdomain,ParameterValue=$(SLAVE_SUBDOMAIN) \
ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI) \
- ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN)
+ ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN) \
+ ParameterKey=GerritKeyPrefix,ParameterValue=$(GERRIT_KEY_PREFIX)
dns-routing:
$(AWS_FC_COMMAND) create-stack \
diff --git a/master-slave/cf-service-master.yml b/master-slave/cf-service-master.yml
index fd46039..68f1bf8 100644
--- a/master-slave/cf-service-master.yml
+++ b/master-slave/cf-service-master.yml
@@ -52,6 +52,9 @@
Description: The subdomain of the Gerrit cluster
Type: String
Default: gerrit-master-demo
+ GerritKeyPrefix:
+ Description: Gerrit credentials keys prefix
+ Type: String
GerritGitVolume:
Description: Gerrit git volume name
Type: String
@@ -115,6 +118,10 @@
Value: !Sub 'proxy-https://*:${HTTPPort}/'
- Name: AWS_REGION
Value: !Ref AWS::Region
+ - Name: SETUP_REPLICATION
+ Value: true
+ - Name: GERRIT_KEY_PREFIX
+ Value: !Ref GerritKeyPrefix
MountPoints:
- SourceVolume: !Ref GerritGitVolume
ContainerPath: /var/gerrit/git
diff --git a/single-master/Makefile b/single-master/Makefile
index 53237da..4db2552 100644
--- a/single-master/Makefile
+++ b/single-master/Makefile
@@ -33,7 +33,8 @@
ParameterKey=HostedZoneName,ParameterValue=$(HOSTED_ZONE_NAME) \
ParameterKey=Subdomain,ParameterValue=$(SUBDOMAIN) \
ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI) \
- ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN)
+ ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN) \
+ ParameterKey=GerritKeyPrefix,ParameterValue=$(GERRIT_KEY_PREFIX)
dns-routing:
$(AWS_FC_COMMAND) create-stack \
diff --git a/single-master/README.md b/single-master/README.md
index f330239..0077248 100644
--- a/single-master/README.md
+++ b/single-master/README.md
@@ -126,7 +126,9 @@
You can now run the [script](../gerrit/add_secrets_aws_secrets_manager.sh) to
upload them to AWS Secret Manager:
-`add_secrets_aws_secrets_manager.sh /path/to/your/keys/directory`
+`add_secrets_aws_secrets_manager.sh /path/to/your/keys/directory secret_prefix`
+
+When `secret_prefix` is omitted, it is set to `gerrit_secret` by default.
### Publish custom Gerrit Docker image
diff --git a/single-master/cf-service.yml b/single-master/cf-service.yml
index 00bbd83..80a06dc 100644
--- a/single-master/cf-service.yml
+++ b/single-master/cf-service.yml
@@ -45,6 +45,9 @@
Description: The subdomain of the Gerrit cluster
Type: String
Default: gerrit-master-demo
+ GerritKeyPrefix:
+ Description: Gerrit credentials keys prefix
+ Type: String
GerritGitVolume:
Description: Gerrit git volume name
Type: String
@@ -108,6 +111,8 @@
Value: !Sub 'proxy-https://*:${HTTPPort}/'
- Name: AWS_REGION
Value: !Ref AWS::Region
+ - Name: GERRIT_KEY_PREFIX
+ Value: !Ref GerritKeyPrefix
MountPoints:
- SourceVolume: !Ref GerritGitVolume
ContainerPath: /var/gerrit/git