User stories for Jenkins and Mariposa #3
Conversation
| @@ -0,0 +1 @@ | |||
| c1bcd137fadd26ca2998eec192d04c08f62beb1f | |||
There was a problem hiding this comment.
@tgross this should be content, not a sha, right?
| @@ -0,0 +1,76 @@ | |||
| # jupiter.example.com, Jenkins, and Mariposa | |||
There was a problem hiding this comment.
Can you put this in 00036/user-stories/jupiter-example-com-jenkins.md and add it to the user stories in the main readme?
|
|
||
| - Jenkins must be provisioned with an SSH key for Mariposa | ||
| - Jenkins must be provisioned with an SSH key for GitHub deploy keys | ||
| - Jenkins will effectively own the entire account until we have RBAC v2. |
There was a problem hiding this comment.
This is a good callout, but it doesn't help us specify what permissions would be expected in an RBACv2 world
There was a problem hiding this comment.
Brainstorming for RBACv2 world, Jenkins would need permissions to:
- create/copy project manifests
- update project manifests
- trigger deploys of projects
Jenkins would not need permissions to:
- launch/destroy containers
- change account information
(not yet a complete list)
|
|
||
| Jenkins would generate secrets as part of the job for the dev environment, add those to the manifest’s metadata (this isn’t in the manifest file itself!). This allows the dev credentials be ephemeral for each deployment. | ||
|
|
||
| For production metadata, the operators can add those secrets to Mariposa out-of-band from the CI server. This way Jenkins never gets the production secrets. It only has the manifest not the metadata for production. (Although in practice in has the keys to the universe until RBAC v2.) |
There was a problem hiding this comment.
Although in practice in has the keys to the universe until RBAC v2
We need to get more particular about what permissions are required to support this process
|
|
||
| This Jenkins job is configured to receive GitHub webhook pushes. The Jenkins job should run build and deployment tasks defined in the code repository so that the process for deployment is owned by the team that owns the code. | ||
|
|
||
| Each GitHub branch has an associated Mariposa project. The Jenkins job clones a template manifest (from the repo) for each new branch. Each changeset received on a given branch will be deployed as a new version of that manifest. |
There was a problem hiding this comment.
Each GitHub branch has an associated Mariposa project
Does this assume the project is pre-created, or does Jenkins create it?
There was a problem hiding this comment.
Not sure... is creating a new manifest for a project a separate action from creating the project? If so, then we could split the two behaviors for Jenkins. We don't have to though.
There was a problem hiding this comment.
I imagine there's manifest per project (though we track changes in that manifest and can restore old versions).
I think my real point is that the passive voice there suggests that Jenkins isn't creating projects, so I wanted to be clear.
|
|
||
| ``` | ||
| git tag v1.2.3 | ||
| git tag production |
There was a problem hiding this comment.
This is focused on the git side of things, but that may not fully capture what we staged and tested, no?
More discussion in #3 (comment)
There was a problem hiding this comment.
It is, but we need a way to identify to the production-deploying job which branch or tag it's supposed to be promoting to production. Using git tag is one way, but in the workflow in https://github.com/joyent/joyent.com-kirby/pull/181 we're using the master branch (or whatever branch we've parameterized otherwise).
Either works, but by having the git tag be the marker we end up with a record of what source version corresponds to what image version. (i.e. although you can move a tag to a different commit a branch is always pointing to the last commit of its branch, even after you deploy).
There was a problem hiding this comment.
Please discuss in #3 (comment)
| git push --tags | ||
| ``` | ||
|
|
||
| The operator uses the Jenkins UI (or CLI) to start the deployment job with the particular tag needed (with the default being part of the Jenkins job definition). The job tags the correct version as “production” and renders the production manifest with the new version and pushes it to Mariposa for deployment. Note that Mariposa isn’t watching registry server; you need to explicitly update images in IMGAPI to get new images, so updating the Docker image tag in the registry is not enough to trigger a deployment. |
There was a problem hiding this comment.
you need to explicitly update images in IMGAPI to get new images
There are a number of intersecting "versions" here.
- The git repo with the docker file
- The other repos sources that we incorporate in the build, and which are not as strongly versioned as the primary git repo (1)
- The image tag, which we hope will be strongly versioned with the sum of all its components from the above (2), but independently from the primary git repo (1)
- The project manifest, which might specify an image tag more specific than "latest" or "prod" (3)
Tagging the release in git addresses (1), but seems to leave a lot of gaps elsewhere. I think we need to work on how to close those gaps.
There was a problem hiding this comment.
Agreed that tagging suitably addresses (1).
Can we address (2) by incorporating the git SHA into the build? Similar to what we do in ContainerPilot or Joyent.com. This makes the git SHA indelibly marked in the image layers.
Resolving (3) by making that same git SHA show up in the project manifest is a tiny bit harder because we probably can't enforce any of this workflow (it's all owned by the end user's Jenkins job). But we could easily expose the Labels from the Docker images associated with a manifest version though. Maybe we provide a conventional label to the end users? (like triton.mariposa.version or something)
There was a problem hiding this comment.
I'm probably not explaining my question well. Let me try a different approach.
Let's say we build an image on day one. The base image is pinned to php:5.6-apache, it stages well, and everything works perfectly.
However, on day 2 a developer does a manual build of the image using the exactly same code/git sha from day one. The difference is that on this day the content of the base image is different and now it has a bug.
The git sha represents one aspect of the "version," but it clearly doesn't represent everything.
There was a problem hiding this comment.
Updated this following our conversion this afternoon. How's this look?
@misterbisson @jasonpincin