[cookbooks.wmcs.toolforge.component.deploy] Add secrets support when deploying
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dcaro
	Apr 12 2023, 12:34 PM

Description

Currently the wmcs.toolforge.component.deploy just runs deploy.sh script from the git url passed, that does not allow us to inject somehow secrets to the deployed k8s elements.

Some examples of secrets we currently need:

User/pass of the account to push images to harbor (for the toolforge build service)
(add more if you find more)

This task is to brainstorm ways on how to get those secrets there, will create a decision task once we have a few ideas (and no clear consensus arises here first).

Feel free to add comment/change the task to add ideas etc.

Puppet + helmfile

One way is to use the current puppet private repo to store the secrets as hiera values, then have a puppet module that creates a values.yaml file that helmfile would include when generating the k8s objects (exact process to be investigated/defined).

K8s manually entered secrets

We could use k8s secrets for it, and manually create and maintain them.

Helm-secrets

Commit encrypted secret files to the Git repositories and provision decryption keys to the control nodes via Puppet. Helmfile supports integration with the helm-secrets plugin.

Add more ideas here

Details

	Subject	Repo	Branch	Lines +/-
	toolforge: add deployer module with the secrets	operations/puppet	production	+61 -5

Customize query in gerrit

	Title	Reference	Author	Source Branch	Dest Branch
	[builds-api]: add protocol to harborRepository url	repos/cloud/toolforge/toolforge-deploy!72	raymond-ndibe	add_protocol_to_harbor_repository_url	main
	builds-api: add harbor user and password	repos/cloud/toolforge/toolforge-deploy!69	dcaro	builds_api_add_secrets	main

Customize query in GitLab

Related Objects
Search...

Status	Assigned	Task
Resolved	bd808	T133777 Tools that should get archived/deleted (tracking)
Resolved	Andrew	T170355 Figure out process for deleting an unused tool
In Progress	Andrew	T332514 Store state information for the disable tool process outside NFS
Resolved	LucasWerkmeister	T320140 Migrate wd-shex-infer from Toolforge GridEngine to Toolforge Kubernetes
Resolved	matmarex	T319707 Migrate dtcheck from Toolforge GridEngine to Toolforge Kubernetes
Resolved	Legoktm	T320062 Migrate steve-adder from Toolforge GridEngine to Toolforge Kubernetes
Resolved	Legoktm	T320011 Migrate rfa-voting-history from Toolforge GridEngine to Toolforge Kubernetes
Open	dcaro	T194332 [Epic,builds-api,components-api,webservice,jobs-api] Make Toolforge a proper platform as a service with push-to-deploy and build packs
Resolved	dcaro	T342563 [harbor] Stabilize the current installation
Resolved	Raymond_Ndibe	T337386 [builds-api.start] Create the harbor project beforehand if it does not exist
Open	None	T334629 Update maintain_kubeusers to use the toolstate database
Resolved	dcaro	T334585 [cookbooks.wmcs.toolforge.component.deploy] Add secrets support when deploying
Resolved	dcaro	T304532 buildservice: migrate to helmfile from of kustomize

Event Timeline

dcaro created this task.Apr 12 2023, 12:34 PM

taavi edited projects, added Toolforge; removed Toolforge Build Service.Apr 12 2023, 12:38 PM

taavi updated the task description. (Show Details)

aborrero subscribed.Apr 13 2023, 11:09 AM

taavi added a parent task: T334629: Update maintain_kubeusers to use the toolstate database.Apr 13 2023, 3:44 PM

taavi mentioned this in T334629: Update maintain_kubeusers to use the toolstate database.

I think the first option puppet+helmfile may be what the other SREs are using. But I may be wrong, I didn't check or confirmed in any way.

bd808 moved this task from Backlog to In Progress on the Toolforge board.Apr 27 2023, 11:24 PM

dcaro removed a project: Cloud Services Proposals.May 26 2023, 7:52 AM

dcaro opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/69

builds-api: add harbor user and password

fnegri added a project: Cloud-VPS.Aug 4 2023, 12:11 PM

fnegri moved this task from Unsorted to wmcs-cookbooks on the Cloud-VPS board.Aug 4 2023, 12:17 PM

dcaro changed the task status from Open to In Progress.Aug 8 2023, 12:48 PM

dcaro added a subtask: T304532: buildservice: migrate to helmfile from of kustomize.

dcaro edited projects, added Toolforge Build Service (Iteration 17); removed Toolforge.

dcaro moved this task from Next Up to In Progress on the Toolforge Build Service (Iteration 17) board.

dcaro removed a project: Epic.

dcaro added a subtask: T337386: [builds-api.start] Create the harbor project beforehand if it does not exist.

dcaro changed the status of subtask T337386: [builds-api.start] Create the harbor project beforehand if it does not exist from In Progress to Stalled.

dcaro edited projects, added Toolforge Build Service (Iteration 18); removed Toolforge Build Service (Iteration 17).Aug 8 2023, 1:50 PM

dcaro moved this task from Next Up to In Progress on the Toolforge Build Service (Iteration 18) board.

dcaro removed a subtask: T337386: [builds-api.start] Create the harbor project beforehand if it does not exist.Aug 14 2023, 10:00 AM

dcaro added a parent task: T337386: [builds-api.start] Create the harbor project beforehand if it does not exist.

Change 948566 had a related patch set uploaded (by David Caro; author: David Caro):

[operations/puppet@production] toolforge: add deployer module with the secrets

https://gerrit.wikimedia.org/r/948566

Change 948566 merged by David Caro:

[operations/puppet@production] toolforge: add deployer module with the secrets

https://gerrit.wikimedia.org/r/948566

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/69

builds-api: add harbor user and password

dcaro closed this task as Resolved.Aug 16 2023, 9:50 AM

dcaro moved this task from In Progress to Done on the Toolforge Build Service (Iteration 18) board.

Maintenance_bot removed a project: Patch-For-Review.Aug 16 2023, 10:10 AM

raymond-ndibe opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/72

[builds-api]: add protocol to harborRepository url

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/72

[builds-api]: add protocol to harborRepository url

Maintenance_bot removed a project: Patch-For-Review.Aug 17 2023, 10:30 AM

dcaro changed the status of subtask T304532: buildservice: migrate to helmfile from of kustomize from Open to In Progress.Sep 11 2023, 11:11 AM

dcaro closed subtask T304532: buildservice: migrate to helmfile from of kustomize as Resolved.Sep 26 2023, 2:25 PM

[cookbooks.wmcs.toolforge.component.deploy] Add secrets support when deployingClosed, ResolvedPublicActions