[QA] Keeping secrets safe on Jenkins
Stephen Niedzielski
sniedzielski at wikimedia.org
Wed Aug 12 23:05:08 UTC 2015
Assuming a better solution does not exist, I _think_ what I'm ultimately
asking for is a Zuul managed / JJB maintained private Jenkins instance only
accessible over SSH, if that makes sense. Is there anything like that?
There must be other teams in the foundation that need a secure release job
and we could either leverage their solution or they ours.
The reason this is important is because we want to leverage all the
effort that's been put in to building the versioned, maintained,
homogeneous public WMF Jenkins instances, only privately and securely. We
want to avoid a homebuilt configuration sitting on a PC in the office that
we hope never breaks because it only makes sense to one engineer and they
are working on something else.
I really appreciate the help on this question as well as all the support
that's been provided in getting our CI spinning up recently.
--stephen
On Wed, Aug 12, 2015 at 4:18 PM, Greg Grossmeier <greg at wikimedia.org> wrote:
> <quote name="Chris Steipp" date="2015-08-12" time="10:33:44 -0700">
> > Hi Michael / Stephen,
> >
> > Off the top of my head, I believe hashar setup something on our current
> > Jenkins instance to handle passwords. But nothing extreemly secret goes
> > there.
>
> (Others correct me if I'm wrong, but since Antoine's out...)
>
> Yeah, and mostly just passwords for Selenium (ie: not the end of the
> world if they're exposed, they just have accounts on Beta Cluster).
>
> We don't have, eg, a Jenkins instance that we trust with private gpg
> keys to sign release tarballs.
>
> Greg
>
> --
> | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E |
> | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/qa/attachments/20150812/085703d8/attachment.html>
More information about the QA
mailing list