Automate DO identities creation for pipelines
Context: in the course of creating multiple roles in our infrastructure (gitlab-com/infrastructure#1764), and general course of decoupling our cookbooks there were following changes made to our cookbooks:
-
gitlab_users
was created from scratch with TDD in mind (unit and integration tests from the start) -
gitlab-openssh
was refactored to have similar unit and integration tests -
gitlab_sudo
is now being created from scratch with TDD in mind
In order to run kitchen tests on DO during pipeline, and automate TDD in general:
- Makefile was introduced to serve as source of truth for all things pipeline
-
.gitlab-ci.yml was simplified to simply call
make
targets during pipelines -
.kitchen.ci.yml was created to tie DO droplets to pipelines with
kitchen-digitalopcean
driver.
The above is designed to be reusable across cookbooks and eventually be moved to cookbook template. However, when creating new cookbook one still have to specify secret variables in ci/cd settings: the DO access token and ssh access parameters, namely SSH_PRIVATE_KEY
and DIGITALOCEAN_SSH_KEY_ID
, which is a) toil
, b) there's really no need to keep private keys as a secret variables only to echo
them into files during the pipeline, and c) they should be tracked somewhere (now in 1password).
This issue tracks progress on rewriting this process so that ssh keys are ephemeral, i.e. are created before integration test and destroyed after it, meaning with the new cookbook one would only have to add one variable, digital ocean access token, which later can be further improved by having separate tokens for CI pipelines.