Closed Bug 1375195 Opened 7 years ago Closed 5 years ago

Validate that all AWS worker type secrets exist in taskcluster-secrets and remove secrets from worker type definitions

Categories

(Taskcluster :: Workers, enhancement)

Product:
Taskcluster
Component:
Workers
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pmoore, Assigned: pmoore)

References

Details

This is an important sanity check after the other threads of work have been completed, to ensure that before we open up the worker type definitions, we are 100% confident that no secrets are lurking in there, in any workerType, anywhere.
Blocks: 1375197
No longer blocks: 1375155
Found in triage.

Pete: you were going to do something with this batch of bugs, IIRC.
Work continues in dependent bugs.
QA Contact: pmoore
Component: Worker → Workers

Since we changed bug 1375182 and bug 1375194 to be about copying secrets, rather than moving the secrets, this bug also need to take care of removing the secrets, so updating bug title to reflect this intended change.

Summary: Validate that no AWS worker type definitions contain any confidential/non-public information → Validate that all AWS worker type secrets exist in taskcluster-secrets and remove secrets from worker type definitions
Depends on: 1375157, 1375176
No longer depends on: 1375182
No longer depends on: 1375194
Depends on: 1375192
Depends on: 1527613
Depends on: 1524592
Assignee: nobody → pmoore

I've removed all secrets from worker type definitions:

FTR I used this script, which captured the diff. I validated all the diffs before running it for real.

I also have captured all the worker type definitions before running the script so we can roll back if needed.

package main

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"log"
	"net/url"

	tcclient "github.com/taskcluster/taskcluster-client-go"
	"github.com/taskcluster/taskcluster-client-go/tcawsprovisioner"
)

func main() {
	prov := tcawsprovisioner.NewFromEnv()
	wts, err := prov.ListWorkerTypes()
	if err != nil {
		log.Fatalf("Error listing worker types: %v", err)
	}
	for _, wt := range *wts {
		// invalid worker type definition, skip it...
		if wt == "gecko-1-b-win2016" {
			continue
		}
		wtr, err := prov.WorkerType(wt)
		if err != nil {
			log.Fatalf("Error retrieving %v worker type definition: %v", wt, err)
		}
		switch {
		case string(wtr.Secrets) == "{}":
			log.Printf("Empty secret for worker type %v", wt)
		default:
			log.Printf("Docker worker secret for worker type %v", wt)
			cdv := tcclient.Client(*prov)
			cd := &cdv
			var dataAsMap map[string]interface{}
			_, _, err = cd.APICall(nil, "GET", "/worker-type/"+url.QueryEscape(wt), &dataAsMap, nil)
			if err != nil {
				log.Fatal(err)
			}
			delete(dataAsMap, "lastModified")
			delete(dataAsMap, "workerType")
			result, err := json.MarshalIndent(dataAsMap, "", "  ")
			if err != nil {
				log.Fatal(err)
			}
			err = ioutil.WriteFile(wt+".orig", result, 0644)
			if err != nil {
				log.Fatal(err)
			}
			dataAsMap["secrets"] = map[string]string{}
			result, err = json.MarshalIndent(dataAsMap, "", "  ")
			if err != nil {
				log.Fatal(err)
			}
			err = ioutil.WriteFile(wt+".new", result, 0644)
			if err != nil {
				log.Fatal(err)
			}
			fmt.Printf("Update to worker type %v:\n----------------------------\n%v\n----------------------------\n", wt, string(result))
			_, _, err = cd.APICall(dataAsMap, "POST", "/worker-type/"+url.QueryEscape(wt)+"/update", new(interface{}), nil)
			if err != nil {
				log.Fatal(err)
			}
		}
	}
}
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.