zuul-jobs/test-playbooks/registry/buildset-registry.yaml
Clark Boylan 4c40b92950 Prevent leaks of buildset registry credentials
Because buildset registries may be used by jobs that finish before other
jobs are finished using the buildset registry we must be careful not to
expose the registry credentials in the jobs that finish sooner.
Otherwise logs for the earlier job runs could potentially be used to
poison the registry for later jobs.

This is likely currently incomplete. Other Zuulians should look over it
carefully to ensure we're covering all the bases here.

The cases I've identified so far are:

* Setting facts that include passwords
* Reading and writing to files that include passwords (as content may be
  logged)
* Calling modules with passwords passed as arguments (the module
  invocation is logged)

I've also set no_log on zuul_return that passes up credentials because
while the logging for zuul_return is minimal today, I don't want to
count on it remaining that way.

We also use the yet to be merged secret_data attribute on zuul_return to
ensure that zuul_return itself does not expose anything unwanted.

Finally it would be great if others could check over the use of
buildset_registry variables to make sure there aren't any that got
missed. One thing I'm not sure of is whether or not when conditionals
get logged and if we need to be careful about their use too.

Temporarily remove some buildset-regitry jobs which are in a catch-22.

Change-Id: I2dea683e27f00b99a7766bf830981bf91b925265
2021-06-24 09:56:19 -07:00

35 lines
1.8 KiB
YAML

# This job inherits from a buildset-registry job, so it should already
# be running locally and have any speculative images loaded into it.
- hosts: all
tasks:
- name: Load real buildset registry connection info
set_fact:
real_buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
no_log: true
# This should now use the speculative image, because we've already
# run use-buildset-registry.
- name: Run the fake buildset registry
include_role:
name: run-buildset-registry
vars:
buildset_registry_root: "{{ ansible_user_dir }}/fake_buildset_registry"
buildset_registry_port: 9000
# Leave that zuul return so that dependent jobs use the fake one
- name: Load fake buildset registry connection info
set_fact:
fake_buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
no_log: true
- name: Build a test image
command: "docker build . -t zuul/testimage:latest"
args:
chdir: "{{ zuul.project.src_dir }}/test-playbooks/registry/docker"
- name: Push test image into fake buildset registry
command: "skopeo copy --dest-tls-verify=false --dest-creds {{ buildset_registry.username }}:{{ buildset_registry.password }} docker-daemon:zuul/testimage:latest docker://localhost:9000/zuul/docker-testimage:latest"
- name: Push test image into fake buildset registry
command: "skopeo copy --dest-tls-verify=false --dest-creds {{ buildset_registry.username }}:{{ buildset_registry.password }} docker-daemon:zuul/testimage:latest docker://localhost:9000/quay.io/zuul/quay-testimage:latest"
- name: Pause the job
zuul_return:
data:
zuul:
pause: true