[all] New Zuul job to replicate a project's git repository to a remote git server
David Moreau Simard
dmsimard at redhat.com
Thu Apr 11 21:45:25 UTC 2019
Hi,
It is now possible for projects to replicate their git repository to a
custom location by inheriting from the 'upload-git-mirror' job
provided by Zuul.
This job wraps around the 'upload-git-mirror' Ansible role that is
part of the zuul-jobs library [1].
In order to use this job, you must supply a secret in the following format:
===
- secret:
name: <name of your secret>
data:
user: <ssh user of the remote git server>
host: <address of the remote git server>
host_key: <ssh host key of the remote git server>
ssh_key: <private key to authenticate with the remote git server>
===
The 'host_key' parameter can be retrieved from your known_hosts file
or with a command like 'ssh-keyscan -H <host>' or 'ssh-keyscan -t rsa
<host>'.
For example, the 'host_key' when pushing to GitHub would be, on a single line:
github.com ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
The 'ssh_key' parameter should be encrypted before being committed to
the git repository.
Zuul provides a tool for easily encrypting files such as SSH private
keys and you can find more information about it in the documentation
[2].
For example, encrypting a key for the "openstack/ara" project would
look like this:
===
zuul/tools/encrypt_secret.py --infile /home/dmsimard/.ssh/ara_git_key
--tenant openstack https://zuul.openstack.org openstack/ara
===
You would then use the secret in a job inheriting from
'upload-git-mirror' as such:
===
- job:
name: <project>-upload-git-mirror
parent: upload-git-mirror
description: Mirrors openstack/<project> to neworg/<project>
vars:
git_mirror_repository: neworg/<project>
secrets:
- name: git_mirror_credentials
secret: <name of your secret>
pass-to-parent: true
===
Finally, the job must be set to run in your project's 'post' pipeline
which is triggered every time a new commit is merged to the
repository:
===
- project:
check:
jobs:
# [...]
gate:
jobs:
# [...]
post:
jobs:
- <project>-upload-git-mirror
===
Note that the replication would only begin *after* the change has
merged, meaning that merging the addition of the post job would not
trigger the post job itself immediately.
The post job will only trigger the next time that a commit is merged.
[1]: https://zuul-ci.org/docs/zuul-jobs/general-roles.html#role-upload-git-mirror
[2]: https://zuul-ci.org/docs/zuul/user/encryption.html
David Moreau Simard
dmsimard = [irc, github, twitter]
More information about the openstack-discuss
mailing list