Bug #1319604 “Improvement: Add support for private GitHub repos” : Bugs : Solum

Adrian Otto (aotto) on 2014-06-02

summary:	- improvement: Add support for private GitHub repos + Improvement: Add support for private GitHub repos
Changed in solum:
milestone:	2014.1.2 → juno-1

Ravi Sankar Penta (ravips) on 2014-06-02

Changed in solum:
assignee:	nobody → Ravi Sankar Penta (ravips)

Revision history for this message

Adrian Otto (aotto) wrote on 2014-06-02:

#1

https://help.github.com/articles/managing-deploy-keys

A deploy key is an SSH key that is stored on the server and grants access to a single repository on GitHub. This key is attached directly to the repository instead of to a user account.

This is what can allow Solum to access GitHub. We should store our private key in barbican, and use a "barbican secret" key in order to fetch the GitHub Deploy key on-demand. The advantage of this is that all accesses are logged, and Barbican can store the secret data in encrypted format.

Revision history for this message

Adrian Otto (aotto) wrote on 2014-06-12:

#2

Ravi,

Any update on this?

Thanks,

Adrian

Changed in solum:
milestone:	juno-1 → juno-2

Revision history for this message

Ravi Sankar Penta (ravips) wrote on 2014-06-17:

#3

Blueprint: https://blueprints.launchpad.net/solum/+spec/support-private-github-repos

Adrian,
Oops, I subscribed to all changes (bugs/bps/...) and I missed your previous comment in the mix.

Last week, I tried to run barbican on devstack and ran into several issues. Got some help from barbican team, I had to make some changes to barbican source and had to apply a pending merge to make it work on devstack. I will be pushing my changes to barbican upstream.

Please look at the blueprint. I have done CLI and REST changes, need to make changes during build-app.

Revision history for this message

Noorul Islam K M (noorul) wrote on 2014-06-24:

#4

Download full text (4.7 KiB)

Related discussion on irc

<noorul> ravips: hello [19:30]
<ravips> noorul: hi [19:31]
<ravips> noorul: I need to your input for the bug I'm trying to address, need
         to pass a field to plan_handler but that's not in the Plan object
                                                                        [19:32]
<noorul> which method? [19:34]
<ravips> noorul: init_plan_v1() in plan controller is pruning all fields that
         are not in the plan object, don't want to put the logic in controller
* noorul is looking [19:35]
<ravips> noorul: just some background, trying to support private github repos
         in solum (https://bugs.launchpad.net/solum/+bug/1319604), cli will
         pass 'artifact_deploy_keys' as optional param
<ravips> noorul: solum api, will parse that field and stores secrets in
         barbican and persists secret_ref in plan object [19:36]
<noorul> ravips: where is that method used? I don't see a use in the code base
                                                                        [19:37]
<ravips> noorul: are you referring to init_plan_v1() method? [19:38]
<noorul> Oh yeah, there is by_version variant
<ravips> noorul: init_plan_by_version() generates the method
<noorul> shouldn't those fields also be part of plan file? [19:40]
<ravips> noorul: we don't want to for security reasons, no one wants to put
         their private key/passphrase in yaml file [19:41]
<noorul> I thought it is going to be some barbican id [19:43]
<noorul> but still that makes it non portable [19:45]
<noorul> ravips: May be you need to change the way we do plan posting [19:46]
<noorul> ravips: How about using multipart ?
<ravips> may be I can add it the plan data model but will not persist similar
         to services? [19:47]
<noorul> ravips: One will have meta data and another will have plan yaml
* ravips looking up multipart
<noorul> ravips:
         http://pecan.readthedocs.org/en/latest/routing.html#handling-file-uploads
                                                                        [19:53]
<ravips> noorul: passing sshkey creds along with yaml file from cli to
         solum-api server is not an issue [19:54]
<noorul> ravi...

Related discussion on irc

<noorul> ravips: hello                                                  [19:30]
<ravips> noorul: hi                                                     [19:31]
<ravips> noorul: I need to your input for the bug I'm trying to address, need                                                  
         to pass a field to plan_handler but that's not in the Plan object                                                     
                                                                        [19:32]
<noorul> which method?                                                  [19:34]
<ravips> noorul: init_plan_v1() in plan controller  is pruning all fields that                                                 
         are not in the plan object, don't want to put the logic in controller
* noorul is looking                                                     [19:35]
<ravips> noorul: just some background, trying to support private github repos                                                  
         in solum (https://bugs.launchpad.net/solum/+bug/1319604), cli will                                                    
         pass 'artifact_deploy_keys' as optional param
<ravips> noorul: solum api, will parse that field and stores secrets in                                                        
         barbican and persists secret_ref in plan object                [19:36]
<noorul> ravips: where is that method used? I don't see a use in the code base                                                 
                                                                        [19:37]
<ravips> noorul: are you referring to init_plan_v1() method?            [19:38]
<noorul> Oh yeah, there is by_version variant
<ravips> noorul: init_plan_by_version() generates the method
<noorul> shouldn't those fields also be part of plan file?              [19:40]
<ravips> noorul: we don't want to for security reasons, no one wants to put                                                    
         their private key/passphrase in yaml file                      [19:41]
<noorul> I thought it is going to be some barbican id                   [19:43]
<noorul> but still that makes it non portable                           [19:45]
<noorul> ravips: May be you need to change the way we do plan posting   [19:46]
<noorul> ravips: How about using multipart ?
<ravips> may be I can add it the plan data model but will not persist similar                                                  
         to services?                                                   [19:47]
<noorul> ravips: One will have meta data and another will have plan yaml
* ravips looking up multipart
<noorul> ravips:                                                                                                               
         http://pecan.readthedocs.org/en/latest/routing.html#handling-file-uploads
                                                                        [19:53]
<ravips> noorul: passing sshkey creds along with yaml file from cli to                                                         
         solum-api server is not an issue                               [19:54]
<noorul> ravips: how are you doing it?                                  [19:56]
<noorul> ravips: May be you can post the code for review and ask for input so                                                  
         that others can also help
<ravips> noorul: I think handling in v1/datamodel/plan.py seems to be right                                                    
         way to go, I was assuming there is 1-1 mapping between                                                                
         v1/datamodel/plan.py and objects/sqlalchemy/plan.py..apparantly thats                                                 
         not the case
<ravips> noorul: sshkey creds are converted to yaml and appended with plan                                                     
         yaml file..so api-server will receive single yaml and it will be                                                      
         pruned once we process the info                                [19:58]
<noorul> ravips: I am still thinking how are you passing it
<noorul> ravips: I don't think that is the right way
<noorul> ravips: I think plan yaml is just plan specific, it should not have                                                   
         anything extra that is not part of plan as such                [19:59]
<noorul> ravips: So I would say re-write everything to use json and embed plan                                                 
         yaml in that
<noorul> ravips: Or try multipart
<noorul> ravips: Others may have difference opinion
<ravips> noorul: json/yaml its the same approach, will check multipart  [20:00]

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-01: Fix proposed to solum (master)

#5

Fix proposed to branch: master
Review: https://review.openstack.org/103972

Changed in solum:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-01: Change abandoned on solum (master)

#6

Change abandoned by Ravi Sankar Penta (<email address hidden>) on branch: master
Review: https://review.openstack.org/103972
Reason: Better approach suggested by PaulCzar

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-08: Fix proposed to solum (master)

#7

Fix proposed to branch: master
Review: https://review.openstack.org/105605

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-25:

#8

Fix proposed to branch: master
Review: https://review.openstack.org/109467

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-28: Change abandoned on solum (master)

#9

Change abandoned by Ravi Sankar Penta (<email address hidden>) on branch: master
Review: https://review.openstack.org/109467
Reason: Incorrect Change-Id

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-22: Fix merged to solum (master)

#10

Reviewed: https://review.openstack.org/105605
Committed: https://git.openstack.org/cgit/stackforge/solum/commit/?id=e640ec39431242668a86b8337b247e1465d15d5c
Submitter: Jenkins
Branch: master

commit e640ec39431242668a86b8337b247e1465d15d5c
Author: Ravi Sankar Penta <email address hidden>
Date: Mon Jun 9 16:05:59 2014 -0700

Added support for private GitHub repos

    Implements: blueprint support-private-github-repos
    Closes-Bug: 1319604
    Change-Id: I6f0181a59165e5ab7e0b2d38aab07c8b06ec7462

Changed in solum:
status:	In Progress → Fix Committed

Adrian Otto (aotto) on 2015-06-11

Changed in solum:
status:	Fix Committed → Fix Released

Solum

Improvement: Add support for private GitHub repos

Bug Description

Other bug subscribers

Remote bug watches