Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3769847
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
16 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/_modules/notifications.py b/_modules/notifications.py
index ce7ca19..92b7568 100644
--- a/_modules/notifications.py
+++ b/_modules/notifications.py
@@ -1,28 +1,49 @@
# -------------------------------------------------------------
# Salt — Node execution module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: Build Notifications center configuration
# License: BSD-2-Clause
# -------------------------------------------------------------
import copy
def get_credentials():
try:
services = __pillar__["notifications_credentials"]["services"]
except KeyError:
services = []
return {"services": [_build_service_config(service) for service in services]}
def _build_service_config(service):
built_service = copy.deepcopy(service)
if "secret" in service:
built_service["secret"] = __salt__["credentials.get_token"](service["secret"])
return built_service
+
+
+# -------------------------------------------------------------
+# Build triggers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def get_dockerhub_triggers():
+ repositories = __pillar__.get("notifications_dockerhub_triggers", {})
+ return {
+ repository: _get_dockerhub_trigger(key)
+ for repository, key in repositories.items()
+ }
+
+
+def _get_dockerhub_trigger(key):
+ secret = __salt__["vault.read_secret"](key)
+ return {
+ "source": secret["source"],
+ "trigger": secret["trigger"],
+ }
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
index 814c55d..0c53fc4 100644
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -1,210 +1,214 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Vault configuration
#
# :: vault_policies_path: path on vault server where to store policies
#
# :: vault_policies_source: path to fetch policies from
# if starting by salt://, from salt files server
#
# :: vault_mount_paths: translates secrets paths in policies paths
#
# Generally, Vault paths are the same for policies and data access.
#
# For kv secrets engine, version 2, writing and reading versions
# of a kv value are prefixed with the data/ path.
#
# credentials.build_policies_by_node will use this dictionary
# to be able to rewrite secrets paths in data paths.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies_path: /srv/policies/vault
vault_policies_source: /srv/policies/vault
vault_mount_paths:
ops/secrets: ops/data/secrets
ops/privacy: ops/data/privacy
+ apps: apps/data
# -------------------------------------------------------------
# Vault policies to deploy as-is, ie without templating.
#
# Entries of vault_policies must match a .hcl file in
# roles/vault/policies/files folder.
#
# If you need a template, create a new pillar entry instead
# and add the parsing logic either:
# - directly to roles/vault/policies/
#
# - through _modules/credentials.py for policies to apply
# to Salt nodes, like e.g. vault_secrets_by_role
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies:
- salt-primary
- sentry
- viperserv
# -------------------------------------------------------------
# Vault policies for Salt
#
# Declare the extra policies each nodes need.
#
# In adition of those extra policies, the vault_secrets_by_role
# will be parsed for the keys.
#
# IMPORTANT: as grains['roles'] can be modified by the node,
# roles are extracted directly from the pillar.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_extra_policies_by_role:
salt-primary:
- salt-primary
# -------------------------------------------------------------
# Vault secrets by role
#
# Paths of the keys the specified role needs access to.
#
# Avoid * notation as this namespace is shared between Vault
# and the applications. As such, only secrets the Salt nodes
# needs in a state they need to deploy should be listed here.
#
# Use %%node%% as variable for node name.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_role:
devserver:
- ops/secrets/nasqueron/notifications/notifications-cli/%%node%%
opensearch:
- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.admin
- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.dashboards
paas-docker-prod:
#
# Personal data or personally identifiable information (PII)
# related to Nasqueron Operations SIG members.
#
- ops/privacy/ops-cidr
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
- ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/white-rabbit/root
- ops/secrets/nasqueron/sentry/geoipupdate
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron.<service>.<type>
#
- ops/secrets/nasqueron.acquisitariat.mysql
- ops/secrets/nasqueron.auth-grove.mysql
- ops/secrets/nasqueron.cachet.app_key
- ops/secrets/nasqueron.cachet.mysql
- ops/secrets/nasqueron.etherpad.api
- ops/secrets/nasqueron.notifications.broker
- ops/secrets/nasqueron.notifications.mailgun
- ops/secrets/nasqueron.notifications.sentry
- ops/secrets/nasqueron.notifications.credentials_github_nasqueron
- ops/secrets/nasqueron.notifications.credentials_github_wolfplex
- ops/secrets/nasqueron.notifications.credentials_github_keruald
- ops/secrets/nasqueron.notifications.credentials_github_trustspace
- ops/secrets/nasqueron.notifications.credentials_github_eglide
- ops/secrets/nasqueron.notifications.credentials_phabricator_nasqueron
+ - apps/notifications-center/dockerhub/notifications
+ - apps/notifications-center/dockerhub/auth-grove
+
- ops/secrets/nasqueron.pixelfed.app_key
- ops/secrets/nasqueron.pixelfed.mailgun
- ops/secrets/nasqueron.pixelfed.mysql
- ops/secrets/nasqueron.sentry.app_key
- ops/secrets/nasqueron.sentry.postgresql
- ops/secrets/nasqueron.sentry.vault
#
# Credentials used by Nasqueron members private services
# Format: <username>.<service>.<type>
#
- ops/secrets/dereckson.phabricator.mysql
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>.<service>.<type>
#
- ops/secrets/espacewin.phpbb.mysql_root
- ops/secrets/wolfplex.phabricator.mailgun
- ops/secrets/wolfplex.phabricator.mysql
- ops/secrets/zed.phabricator.mysql
- ops/secrets/zed.phabricator.sendgrid
paas-docker-dev:
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>.<service>.<type>
#
- ops/secrets/espacewin.bugzilla.mysql
- ops/secrets/espacewin.bugzilla.mysql_root
viperserv:
- ops/secrets/nasqueron.viperserv.vault
webserver-legacy:
#
# Wolfplex credentials
#
- ops/secrets/nasqueron.etherpad.api
# -------------------------------------------------------------
# Vault secrets by dbserver cluster
#
# Paths of the keys the specified role needs access to.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_dbserver_cluster:
# Main PostgreSQL cluster
A:
- ops/secrets/dbserver/cluster-A/users/*
diff --git a/pillar/notifications/config.sls b/pillar/notifications/config.sls
index 3e5d95f..836d82a 100644
--- a/pillar/notifications/config.sls
+++ b/pillar/notifications/config.sls
@@ -1,153 +1,166 @@
# -------------------------------------------------------------
# Notifications center
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Credentials
#
# The secret key value is the Vault key path for this secret,
# it will be passed to the credentials.get_token method.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notifications_credentials:
services:
# Nasqueron
- gate: GitHub
door: Nasqueron
secret: nasqueron.notifications.credentials_github_nasqueron
- gate: GitHub
door: Wolfplex
secret: nasqueron.notifications.credentials_github_wolfplex
- gate: GitHub
door: Keruald
secret: nasqueron.notifications.credentials_github_keruald
- gate: GitHub
door: TrustSpace
secret: nasqueron.notifications.credentials_github_trustspace
- gate: GitHub
door: Eglide
secret: nasqueron.notifications.credentials_github_eglide
- gate: Phabricator
door: Nasqueron
instance: https://devcentral.nasqueron.org
secret: nasqueron.notifications.credentials_phabricator_nasqueron
-# Docker Hub build triggers URL can't currently been automated easily.
+# -------------------------------------------------------------
+# Docker Hub build triggers
+#
+# Key: the repository, the same in GitHub and Docker Hub
+# Value: the *full* path to Vault secret
+#
+# This vault secret should use the following format:
+# source: the UUID after /source/
+# trigger: the UUID after /trigger/
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+notifications_dockerhub_triggers:
+ nasqueron/auth-grove: apps/notifications-center/dockerhub/auth-grove
+ nasqueron/notifications: apps/notifications-center/dockerhub/notifications
# -------------------------------------------------------------
# Payload analyzer configuration
#
# The content of notifications_configuration will be split
# into folders and JSON files, converted from YAML objects.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notifications_configuration:
GitHubPayloadAnalyzer:
default: &default
administrativeGroup: orgz
defaultGroup: ''
map: []
Nasqueron:
administrativeGroup: orgz
defaultGroup: nasqueron
map:
- group: docker
items:
- docker-*
- group: tasacora
items:
- tasacora-*
- group: devtools
items:
- notifications
- notifications-cli-client
- group: ops
items:
- decommission
- discourse-config
- ftp
- operations
- servers-*
- zemke-rhyne
JenkinsPayloadAnalyzer:
default:
defaultGroup: ci
map: []
notifyOnlyOnFailure: []
Nasqueron:
defaultGroup: ci
map:
- group: wikidata
items:
- deploy-irc-daeghrefn-wikidata
- group: ops
items:
- deploy-website-*
- test-prod-env
- group: devtools
items:
- test-notifications-*
notifyOnlyOnFailure:
- test-prod-env
PhabricatorPayloadAnalyzer:
default: *default
Nasqueron:
administrativeGroup: orgz
defaultGroup: nasqueron
map:
- group: docker
items:
- Docker images
- Nasqueron Docker deployment squad
words:
- Docker
- group: tasacora
items:
- Tasacora
words:
- Tasacora
- cartography
- group: trustspace
items:
- TrustSpace
- group: ops
items:
- Continous integration and delivery
- IPv6
- Mail
- Message queues
- Murasil
- Nasqueron security operations squad
- Servers
- Ops-sprint-*
- Salt
words:
- Ysul
- Dwellers
- Eglide
- pkg audit
wordsAreStrong: true
diff --git a/roles/paas-docker/containers/notifications.sls b/roles/paas-docker/containers/notifications.sls
index d452175..8016059 100644
--- a/roles/paas-docker/containers/notifications.sls
+++ b/roles/paas-docker/containers/notifications.sls
@@ -1,90 +1,99 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-01-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['notifications'].items() %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}/storage:
file.directory:
- user: 431
- group: 433
- makedirs: True
/srv/{{ instance }}/storage/app/credentials.json:
file.managed:
- user: 431
- group: 433
- mode: 400
- makedirs: True
- show_changes: False
- contents: |
{{ salt['notifications.get_credentials']() | json }}
+/srv/{{ instance }}/storage/app/DockerHubTriggers.json:
+ file.managed:
+ - user: 431
+ - group: 433
+ - mode: 400
+ - show_changes: False
+ - contents: |
+ {{ salt['notifications.get_dockerhub_triggers']() | json }}
+
{% for folder, configs in salt['pillar.get']("notifications_configuration", {}).items() %}
{% for config_file, config in configs.items() %}
/srv/{{ instance }}/storage/app/{{ folder }}/{{ config_file }}.json:
file.managed:
- user: 431
- group: 433
- makedirs: True
- contents: |
{{ config | json }}
{% endfor %}
{% endfor %}
{% if has_selinux %}
selinux_context_notifications_data_{{ instance }}:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}/storage
- sel_type: container_file_t
selinux_context_notifications_data_applied_{{ instance }}:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}/storage
{% endif %}
# -------------------------------------------------------------
# Container
#
# Image: nasqueron/notifications
# Description: Listen to webhooks, fire notifications to
# the broker. Used for CI / IRC notifications.
# Services used: RabbitMQ broker (white-rabbit)
# Docker volume (/srv/notifications/storage)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/notifications
- binds: /srv/{{ instance }}/storage:/var/wwwroot/default/storage
- links:
- {{ container['broker_link'] }}:mq
- environment:
- BROKER_HOST: mq
- BROKER_USERNAME: {{ salt['credentials.get_username'](container['credentials']['broker']) }}
- BROKER_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['broker']) }}
- BROKER_VHOST: dev
- MAILGUN_DOMAIN: {{ salt['credentials.get_username'](container['credentials']['mailgun']) }}
- MAILGUN_APIKEY: {{ salt['credentials.get_password'](container['credentials']['mailgun']) }}
- SENTRY_DSN: {{ salt['credentials.get_sentry_dsn'](container["sentry"]) }}
- SENTRY_TRACES_SAMPLE_RATE: 1.0
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Mon, Nov 25, 17:21 (22 h, 29 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2256506
Default Alt Text
(16 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment