[QA] Keeping secrets safe on Jenkins

Stephen Niedzielski sniedzielski at wikimedia.org
Thu Aug 13 01:37:47 UTC 2015 

  Thanks for the info, Dan! Assuming we went this route, what do we use to
manage private production configurations? Is there a project that would be
a good template I could check out? I would ignorantly guess that we
probably have at least a couple ultra secure machines somewhere and am
trying to come up to speed with how these are versioned and maintained, and
the general infrastructure available.


--stephen

On Wed, Aug 12, 2015 at 6:32 PM, Dan Duvall <dduvall at wikimedia.org> wrote:

> On Wed, Aug 12, 2015 at 4:05 PM, Stephen Niedzielski <
> sniedzielski at wikimedia.org> wrote:
>
>>   Assuming a better solution does not exist, I _think_ what I'm
>> ultimately asking for is a Zuul managed / JJB maintained private Jenkins
>> instance only accessible over SSH, if that makes sense. Is there anything
>> like that? There must be other teams in the foundation that need a secure
>> release job and we could either leverage their solution or they ours.
>>
>
> There's a fundamental problem with signing on a Jenkins slave, private or
> shared, in that it will trust and execute anything the master gives it.
> It's also possible that the master (and other slaves by extension) is
> vulnerable to slave response forgery as well.[1]
>
> I think to do automated signing right, we'd want to start with a dedicated
> production host that independently polls/listens for CR events and executes
> only tightly reviewed jobs that are outside the realm of our CI
> Zuul/Jenkins altogether. Whether this would be a another, completely
> private, Jenkins /cluster/ or something lighter, I'm not sure.
>
> [1]
> https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion
>
> --
> Dan Duvall
> Automation Engineer
> Wikimedia Foundation <http://wikimediafoundation.org>
>
> --
> You received this message because you are subscribed to the Google Groups
> "android" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to android+unsubscribe at wikimedia.org.
> To post to this group, send email to android at wikimedia.org.
> To view this discussion on the web visit
> https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com
> <https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/qa/attachments/20150812/bf5fd2eb/attachment.html>

More information about the QA mailing list