[QA] Keeping secrets safe on Jenkins

Dan Duvall dduvall at wikimedia.org
Thu Aug 13 00:32:57 UTC 2015


On Wed, Aug 12, 2015 at 4:05 PM, Stephen Niedzielski <
sniedzielski at wikimedia.org> wrote:

>   Assuming a better solution does not exist, I _think_ what I'm ultimately
> asking for is a Zuul managed / JJB maintained private Jenkins instance only
> accessible over SSH, if that makes sense. Is there anything like that?
> There must be other teams in the foundation that need a secure release job
> and we could either leverage their solution or they ours.
>

There's a fundamental problem with signing on a Jenkins slave, private or
shared, in that it will trust and execute anything the master gives it.
It's also possible that the master (and other slaves by extension) is
vulnerable to slave response forgery as well.[1]

I think to do automated signing right, we'd want to start with a dedicated
production host that independently polls/listens for CR events and executes
only tightly reviewed jobs that are outside the realm of our CI
Zuul/Jenkins altogether. Whether this would be a another, completely
private, Jenkins /cluster/ or something lighter, I'm not sure.

[1] https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion

-- 
Dan Duvall
Automation Engineer
Wikimedia Foundation <http://wikimediafoundation.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/qa/attachments/20150812/a7602551/attachment-0001.html>


More information about the QA mailing list