[QA] Keeping secrets safe on Jenkins
Brian Gerstle
bgerstle at wikimedia.org
Thu Aug 13 10:42:06 UTC 2015
Good discussion! iOS is interested in how this goes, as we'd also like to
package, sign, and deploy our app securely. Our current setup lives on our
private, OS X Jenkins server which is only accessible on WMF networks. It's
not versioned in any way, though it could be (using Ansible or
Boxen/puppet).
Android was considering using the Mac Mini at some point. If we're the only
two teams that need this environment at present, should we try to use the
same machine, or at least hardware/config?
On Wednesday, August 12, 2015, Stephen Niedzielski <
sniedzielski at wikimedia.org> wrote:
> Thanks for the info, Dan! Assuming we went this route, what do we use to
> manage private production configurations? Is there a project that would be
> a good template I could check out? I would ignorantly guess that we
> probably have at least a couple ultra secure machines somewhere and am
> trying to come up to speed with how these are versioned and maintained, and
> the general infrastructure available.
>
>
> --stephen
>
> On Wed, Aug 12, 2015 at 6:32 PM, Dan Duvall <dduvall at wikimedia.org
> <javascript:_e(%7B%7D,'cvml','dduvall at wikimedia.org');>> wrote:
>
>> On Wed, Aug 12, 2015 at 4:05 PM, Stephen Niedzielski <
>> sniedzielski at wikimedia.org
>> <javascript:_e(%7B%7D,'cvml','sniedzielski at wikimedia.org');>> wrote:
>>
>>> Assuming a better solution does not exist, I _think_ what I'm
>>> ultimately asking for is a Zuul managed / JJB maintained private Jenkins
>>> instance only accessible over SSH, if that makes sense. Is there anything
>>> like that? There must be other teams in the foundation that need a secure
>>> release job and we could either leverage their solution or they ours.
>>>
>>
>> There's a fundamental problem with signing on a Jenkins slave, private or
>> shared, in that it will trust and execute anything the master gives it.
>> It's also possible that the master (and other slaves by extension) is
>> vulnerable to slave response forgery as well.[1]
>>
>> I think to do automated signing right, we'd want to start with a
>> dedicated production host that independently polls/listens for CR events
>> and executes only tightly reviewed jobs that are outside the realm of our
>> CI Zuul/Jenkins altogether. Whether this would be a another, completely
>> private, Jenkins /cluster/ or something lighter, I'm not sure.
>>
>> [1]
>> https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion
>>
>> --
>> Dan Duvall
>> Automation Engineer
>> Wikimedia Foundation <http://wikimediafoundation.org>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "android" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to android+unsubscribe at wikimedia.org
>> <javascript:_e(%7B%7D,'cvml','android%2Bunsubscribe at wikimedia.org');>.
>> To post to this group, send email to android at wikimedia.org
>> <javascript:_e(%7B%7D,'cvml','android at wikimedia.org');>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com
>> <https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
--
EN Wikipedia user page: https://en.wikipedia.org/wiki/User:Brian.gerstle
IRC: bgerstle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/qa/attachments/20150813/cc010303/attachment.html>
More information about the QA
mailing list