Merge branch 'stable-3.1' * stable-3.1: Make secrets generation idempotent Allow passing secrets prefix as an argument Do not update all packages on CentOS Do not install replication keys if setup not needed Add logic to control replication setup Use generic container.javaHome value Add SSH keys to AWS Secret Manager Change-Id: I7eaa95aabb27e0a0e1181e5ebe72c54167fc8196

commit: 2cc2e44e445108a6340246ba09167b4bb0e75721 [log] [tgz]
author: Luca Milanesio <luca.milanesio@gmail.com> Tue May 19 16:49:59 2020 +0100
committer: Luca Milanesio <luca.milanesio@gmail.com> Tue May 19 16:49:59 2020 +0100
tree: b9f32d7192c64066a8d71a2cd4039bfb5a204698
parent: d3b49cd29af87fb8f677ad5631647f7f502ad752 [diff]
parent: 7cdbd25b1b20cb03abb378b2126e78e0e5526011 [diff]
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
index 5d27f6c..a20c8b0 100644
--- a/gerrit/Dockerfile
+++ b/gerrit/Dockerfile

@@ -2,8 +2,7 @@
 
 USER root
 
-RUN yum update -y \
-    && yum install -y python36 python3-libs python36-devel python3-pip
+RUN  yum install -y python36 python3-libs python36-devel python3-pip
 
 COPY --chown=gerrit:gerrit ssh-config /var/gerrit/.ssh/config
 

diff --git a/gerrit/add_secrets_aws_secrets_manager.sh b/gerrit/add_secrets_aws_secrets_manager.sh
index c5b7a00..c76b9de 100755
--- a/gerrit/add_secrets_aws_secrets_manager.sh
+++ b/gerrit/add_secrets_aws_secrets_manager.sh

@@ -9,7 +9,23 @@
 
 # Avoid to open output in less for each AWS command
 export AWS_PAGER=;
-KEY_PREFIX=gerrit_secret
+KEY_PREFIX=${2:-gerrit_secret}
+
+function set-secret-string {
+  SECRET_ID=$1
+
+  if aws secretsmanager describe-secret --secret-id ${KEY_PREFIX}_${SECRET_ID} > /dev/null 2>&1
+  then
+    echo "Updating secret ${KEY_PREFIX}_${SECRET_ID} ..."
+    aws secretsmanager put-secret-value --secret-id ${KEY_PREFIX}_${SECRET_ID} \
+      --secret-string file://$SECRETS_DIRECTORY/${SECRET_ID}
+  else
+    echo "Creating secret ${KEY_PREFIX}_${SECRET_ID} ..."
+    aws secretsmanager create-secret --name ${KEY_PREFIX}_${SECRET_ID} \
+      --description "Gerrit ${SECRET_ID}" \
+      --secret-string file://$SECRETS_DIRECTORY/${SECRET_ID}
+  fi
+}
 
 echo "Adding SSH Keys..."
 
@@ -28,35 +44,20 @@
 
 for key_name in "${keys[@]}"
 do
-  echo aws secretsmanager create-secret --name ${KEY_PREFIX}_${key_name} \
-      --description "Gerrit ${key_name}" \
-      --secret-string file://$SECRETS_DIRECTORY/${key_name}
+  set-secret-string ${key_name}
 done
 
 if [ -f "$SECRETS_DIRECTORY/replication_user_id_rsa.pub" ]; then
   echo "Adding Replication SSH Keys..."
-  aws secretsmanager create-secret --name ${KEY_PREFIX}_replication_user_id_rsa.pub \
-      --description "Gerrit replication_user_id_rsa.pub" \
-      --secret-string file://$SECRETS_DIRECTORY/replication_user_id_rsa.pub
-  aws secretsmanager create-secret --name ${KEY_PREFIX}_replication_user_id_rsa \
-      --description "Gerrit replication_user_id_rsa" \
-      --secret-string file://$SECRETS_DIRECTORY/replication_user_id_rsa
+  set-secret-string replication_user_id_rsa.pub
+  set-secret-string replication_user_id_rsa
 fi
 
 echo "Adding Register Email Private Key..."
-
-aws secretsmanager create-secret --name ${KEY_PREFIX}_registerEmailPrivateKey \
-    --description "Gerrit Register Email Private Key" \
-    --secret-string file://$SECRETS_DIRECTORY/registerEmailPrivateKey
+set-secret-string registerEmailPrivateKey
 
 echo "Adding LDAP password..."
-
-aws secretsmanager create-secret --name ${KEY_PREFIX}_ldapPassword \
-    --description "LDAP password" \
-    --secret-string file://$SECRETS_DIRECTORY/ldapPassword
+set-secret-string ldapPassword
 
 echo "Adding SMTP password..."
-
-aws secretsmanager create-secret --name ${KEY_PREFIX}_smtpPassword \
-    --description "SMTP password" \
-    --secret-string file://$SECRETS_DIRECTORY/smtpPassword
+set-secret-string smtpPassword

diff --git a/gerrit/setup_gerrit.py b/gerrit/setup_gerrit.py
index 294567a..c48d02f 100755
--- a/gerrit/setup_gerrit.py
+++ b/gerrit/setup_gerrit.py

@@ -7,6 +7,7 @@
 from botocore.exceptions import ClientError
 from jinja2 import Environment, FileSystemLoader
 
+setupReplication = (os.getenv('SETUP_REPLICATION') == 'true')
 
 def get_secret(secret_name):
     # Create a Secrets Manager client
@@ -76,7 +77,7 @@
     "ssh_host_rsa_key.pub"
 ]
 
-GERRIT_KEY_PREFIX = "gerrit_secret_"
+GERRIT_KEY_PREFIX = os.getenv("GERRIT_KEY_PREFIX", "gerrit_secret")
 GERRIT_CONFIG_DIRECTORY = "/var/gerrit/etc/"
 
 print("Installing SSH Keys from Secret Manager in directory: " +
@@ -84,21 +85,22 @@
 for secretId in secretIds:
     print("* Installing SSH Key: " + secretId)
     with open(GERRIT_CONFIG_DIRECTORY + secretId, 'w', encoding='utf-8') as f:
-        f.write(get_secret(GERRIT_KEY_PREFIX + secretId))
+        f.write(get_secret(GERRIT_KEY_PREFIX + "_" + secretId))
 
-GERRIT_SSH_DIRECTORY = "/var/gerrit/.ssh"
-GERRIT_REPLICATION_SSH_KEYS = GERRIT_SSH_DIRECTORY + "/id_rsa"
+if setupReplication:
+    GERRIT_SSH_DIRECTORY = "/var/gerrit/.ssh"
+    GERRIT_REPLICATION_SSH_KEYS = GERRIT_SSH_DIRECTORY + "/id_rsa"
 
-print("Installing Replication SSH Keys from Secret Manager in: " +
-      GERRIT_REPLICATION_SSH_KEYS)
+    print("Installing Replication SSH Keys from Secret Manager in: " +
+          GERRIT_REPLICATION_SSH_KEYS)
 
-if not os.path.exists(GERRIT_SSH_DIRECTORY):
-    os.mkdir(GERRIT_SSH_DIRECTORY)
-    os.chmod(GERRIT_SSH_DIRECTORY, 0o700)
+    if not os.path.exists(GERRIT_SSH_DIRECTORY):
+        os.mkdir(GERRIT_SSH_DIRECTORY)
+        os.chmod(GERRIT_SSH_DIRECTORY, 0o700)
 
-with open(GERRIT_REPLICATION_SSH_KEYS, 'w', encoding='utf-8') as f:
-    f.write(get_secret(GERRIT_KEY_PREFIX + 'replication_user_id_rsa'))
-os.chmod(GERRIT_REPLICATION_SSH_KEYS, 0o400)
+    with open(GERRIT_REPLICATION_SSH_KEYS, 'w', encoding='utf-8') as f:
+        f.write(get_secret(GERRIT_KEY_PREFIX + 'replication_user_id_rsa'))
+    os.chmod(GERRIT_REPLICATION_SSH_KEYS, 0o400)
 
 file_loader = FileSystemLoader(GERRIT_CONFIG_DIRECTORY)
 env = Environment(loader=file_loader)
@@ -110,9 +112,9 @@
           encoding='utf-8') as f:
     f.write(template.render(
         REGISTER_EMAIL_PRIVATE_KEY=get_secret(
-            GERRIT_KEY_PREFIX + "registerEmailPrivateKey"),
-        LDAP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "ldapPassword"),
-        SMTP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "smtpPassword"))
+            GERRIT_KEY_PREFIX + "_registerEmailPrivateKey"),
+        LDAP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "_ldapPassword"),
+        SMTP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "_smtpPassword"))
     )
 
 BASE_CONFIG_DIR = "/tmp"
@@ -124,7 +126,7 @@
 config_for_template = {}
 try:
     # If we don't need the monitoring stack we can avoid to set this token
-    prometheus_bearer_token = get_secret(GERRIT_KEY_PREFIX + "prometheus_bearer_token")
+    prometheus_bearer_token = get_secret(GERRIT_KEY_PREFIX + "_prometheus_bearer_token")
     config_for_template['PROMETHEUS_BEARER_TOKEN'] = prometheus_bearer_token
 except ClientError as e:
     if e.response['Error']['Code'] == 'ResourceNotFoundException':
@@ -145,8 +147,8 @@
     })
     f.write(template.render(config_for_template))
 
-containerSlave = os.getenv('CONTAINER_SLAVE')
-if (not containerSlave):
+containerSlave = (os.getenv('CONTAINER_SLAVE') == 'true')
+if ((not containerSlave) and setupReplication):
     print("Setting Replication config in '" +
           GERRIT_CONFIG_DIRECTORY + "replication.config'")
     config.read(BASE_CONFIG_DIR + '/replication.setup')

diff --git a/master-slave/Makefile b/master-slave/Makefile
index aa87fc3..ee5ec6f 100644
--- a/master-slave/Makefile
+++ b/master-slave/Makefile

@@ -38,7 +38,8 @@
 		ParameterKey=Subdomain,ParameterValue=$(MASTER_SUBDOMAIN) \
 		ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI) \
 		ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN) \
-		ParameterKey=SlaveServiceStackName,ParameterValue=$(SERVICE_SLAVE_STACK_NAME)
+		ParameterKey=SlaveServiceStackName,ParameterValue=$(SERVICE_SLAVE_STACK_NAME) \
+		ParameterKey=GerritKeyPrefix,ParameterValue=$(GERRIT_KEY_PREFIX)
 
 service-slave:
 	$(AWS_FC_COMMAND) create-stack \
@@ -51,7 +52,8 @@
 		ParameterKey=HostedZoneName,ParameterValue=$(HOSTED_ZONE_NAME) \
 		ParameterKey=Subdomain,ParameterValue=$(SLAVE_SUBDOMAIN) \
 		ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI) \
-		ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN)
+		ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN) \
+		ParameterKey=GerritKeyPrefix,ParameterValue=$(GERRIT_KEY_PREFIX)
 
 dns-routing:
 	$(AWS_FC_COMMAND) create-stack \

diff --git a/master-slave/cf-service-master.yml b/master-slave/cf-service-master.yml
index fd46039..68f1bf8 100644
--- a/master-slave/cf-service-master.yml
+++ b/master-slave/cf-service-master.yml

@@ -52,6 +52,9 @@
         Description: The subdomain of the Gerrit cluster
         Type: String
         Default: gerrit-master-demo
+  GerritKeyPrefix:
+        Description: Gerrit credentials keys prefix
+        Type: String
   GerritGitVolume:
       Description: Gerrit git volume name
       Type: String
@@ -115,6 +118,10 @@
                       Value: !Sub 'proxy-https://*:${HTTPPort}/'
                     - Name: AWS_REGION
                       Value: !Ref AWS::Region
+                    - Name: SETUP_REPLICATION
+                      Value: true
+                    - Name: GERRIT_KEY_PREFIX
+                      Value: !Ref GerritKeyPrefix
                   MountPoints:
                     - SourceVolume: !Ref GerritGitVolume
                       ContainerPath: /var/gerrit/git

diff --git a/single-master/Makefile b/single-master/Makefile
index 53237da..4db2552 100644
--- a/single-master/Makefile
+++ b/single-master/Makefile

@@ -33,7 +33,8 @@
 		ParameterKey=HostedZoneName,ParameterValue=$(HOSTED_ZONE_NAME) \
 		ParameterKey=Subdomain,ParameterValue=$(SUBDOMAIN) \
 		ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI) \
-		ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN)
+		ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN) \
+		ParameterKey=GerritKeyPrefix,ParameterValue=$(GERRIT_KEY_PREFIX)
 
 dns-routing:
 	$(AWS_FC_COMMAND) create-stack \

diff --git a/single-master/README.md b/single-master/README.md
index f330239..0077248 100644
--- a/single-master/README.md
+++ b/single-master/README.md

@@ -126,7 +126,9 @@
 
 You can now run the [script](../gerrit/add_secrets_aws_secrets_manager.sh) to
 upload them to AWS Secret Manager:
-`add_secrets_aws_secrets_manager.sh /path/to/your/keys/directory`
+`add_secrets_aws_secrets_manager.sh /path/to/your/keys/directory secret_prefix`
+
+When `secret_prefix` is omitted, it is set to `gerrit_secret` by default.
 
 ### Publish custom Gerrit Docker image
 

diff --git a/single-master/cf-service.yml b/single-master/cf-service.yml
index 00bbd83..80a06dc 100644
--- a/single-master/cf-service.yml
+++ b/single-master/cf-service.yml

@@ -45,6 +45,9 @@
         Description: The subdomain of the Gerrit cluster
         Type: String
         Default: gerrit-master-demo
+  GerritKeyPrefix:
+        Description: Gerrit credentials keys prefix
+        Type: String
   GerritGitVolume:
       Description: Gerrit git volume name
       Type: String
@@ -108,6 +111,8 @@
                       Value: !Sub 'proxy-https://*:${HTTPPort}/'
                     - Name: AWS_REGION
                       Value: !Ref AWS::Region
+                    - Name: GERRIT_KEY_PREFIX
+                      Value: !Ref GerritKeyPrefix
                   MountPoints:
                     - SourceVolume: !Ref GerritGitVolume
                       ContainerPath: /var/gerrit/git
commit	2cc2e44e445108a6340246ba09167b4bb0e75721	[log] [tgz]
author	Luca Milanesio <luca.milanesio@gmail.com>	Tue May 19 16:49:59 2020 +0100
committer	Luca Milanesio <luca.milanesio@gmail.com>	Tue May 19 16:49:59 2020 +0100
tree	b9f32d7192c64066a8d71a2cd4039bfb5a204698
parent	d3b49cd29af87fb8f677ad5631647f7f502ad752 [diff]
parent	7cdbd25b1b20cb03abb378b2126e78e0e5526011 [diff]