... | ... | @@ -652,37 +652,8 @@ Next steps: |
|
|
|
|
|
### Replacing Jenkins with GitLab CI as a builder
|
|
|
|
|
|
We currently use Jenkins to build some websites and push them to the
|
|
|
static mirror infrastructure, as documented above. To use GitLab CI
|
|
|
here, there are a few alternatives.
|
|
|
|
|
|
1. trigger Jenkins jobs from GitLab CI: there is [a GitLab plugin to
|
|
|
trigger Jenkins jobs](https://docs.gitlab.com/ee/integration/jenkins.html), but that doesn't actually replace
|
|
|
Jenkins
|
|
|
2. replace Jenkins by replicating the `ssh` pipeline: this involves
|
|
|
shipping the private SSH key as a [private environment
|
|
|
variable](https://gitlab.torproject.org/help/ci/variables/README#custom-environment-variables) which then is used by the runner to send the file and
|
|
|
trigger the build. this is seen as a too broad security issue
|
|
|
3. replace Jenkins by a web hook
|
|
|
|
|
|
The web hook, in particular, would run on "jobs" changes, and would
|
|
|
perform the following:
|
|
|
|
|
|
1. run as a (Python? [WSGI](https://docs.python.org/3/library/wsgiref.html#module-wsgiref.simple_server)?) web server (wrapped by Apache?)
|
|
|
2. listen to [webhooks from GitLab](https://gitlab.torproject.org/help/user/project/integrations/webhooks#pipeline-events), and only GitLab (ip allow list, in Apache?)
|
|
|
3. map given project to given static site component (or secret token?)
|
|
|
4. pull artifacts from job (do the equivalent to `wget` and `unzip`)
|
|
|
5. `rsync -c` into local static source (to avoid reseting timestamps)
|
|
|
6. triggers `static-update-component`
|
|
|
|
|
|
This would mean a new service, but would allow us to retire Jenkins
|
|
|
without rearchitecturing the entire static mirroring system (see above
|
|
|
for the idea of replacing it with GitLab pages).
|
|
|
|
|
|
We should carefully look at the Jenkins jobs in existence and see
|
|
|
which absolutely need to be migrated in this way, maybe there's a way
|
|
|
to convert those to simply use GitLab pages and CI, with very few
|
|
|
exceptions.
|
|
|
See the [Jenkins documentation](service/jenkins#gitlab-ci-replacement)
|
|
|
for more information on that front.
|
|
|
|
|
|
<!-- LocalWords: atomicity DDOS YAML Hiera webserver NFS CephFS TLS
|
|
|
-->
|
... | ... | |