From 632542ab812da78116b92c881c76f7952ef93ce8 Mon Sep 17 00:00:00 2001 From: Phillip Johnsen Date: Tue, 7 Nov 2017 22:01:59 +0100 Subject: [PATCH 1/3] github-bot: add IPs of Jenkins workers Providing `$JENKINS_WORKER_IPS` environment variable at startup will activate the whitelist implemented in the bot, validating who's allowed to pushed Jenkins job updates as inline PR statuses on github.com. Refs: https://github.com/nodejs/github-bot/pull/142 PR-URL: https://github.com/nodejs/build/pull/985 Reviewed-By: Jon Moss Reviewed-By: Joyee Cheung Reviewed-By: Rod Vagg --- setup/github-bot/resources/environment-file | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/github-bot/resources/environment-file b/setup/github-bot/resources/environment-file index 3e49f722c..75a08fb71 100644 --- a/setup/github-bot/resources/environment-file +++ b/setup/github-bot/resources/environment-file @@ -9,3 +9,4 @@ LOGS_DIR=/home/{{server_user}}/logs JENKINS_API_CREDENTIALS={{envs.jenkins_api_credentials}} JENKINS_JOB_URL_CITGM={{envs.jenkins_job_url_citgm}} JENKINS_BUILD_TOKEN_CITGM={{envs.jenkins_build_token_citgm}} +JENKINS_WORKER_IPS=147.75.69.113,147.75.73.189 From 32f4636938cb6dcf17dcb33c8816a9b7563da047 Mon Sep 17 00:00:00 2001 From: Phillip Johnsen Date: Wed, 8 Nov 2017 21:49:31 +0100 Subject: [PATCH 2/3] inventory: add github-bot reminder when changing Jenkins worker IPs The github-bot has a whitelist of IPs that's allowed to push Jenkins job status as inline PR status on github.com. Whenever we change our Jenkins worker IPs, we should remember to update the bot's whitelist as well. PR-URL: https://github.com/nodejs/build/pull/985 Reviewed-By: Jon Moss Reviewed-By: Joyee Cheung Reviewed-By: Rod Vagg --- ansible/inventory.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/inventory.yml b/ansible/inventory.yml index 59a9715da..ca2218039 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -232,6 +232,8 @@ hosts: centos7-arm64-2: {ip: 147.75.74.254} ubuntu1604-arm64-1: {ip: 147.75.77.130} ubuntu1604-arm64-2: {ip: 147.75.74.174} +# when adding, removing or changing the IPs below, +# remember to update Jenkins worker IP whitelist in github-bot ubuntu1604-x64-1: {ip: 147.75.69.113, alias: jenkins-workspace-1} ubuntu1604-x64-2: {ip: 147.75.73.189, alias: jenkins-workspace-2} From 505001649cded9fc878296257be4a78afb005c0a Mon Sep 17 00:00:00 2001 From: Phillip Johnsen Date: Mon, 27 Nov 2017 09:55:32 +0100 Subject: [PATCH 3/3] ansible: added todo to automate Jenkins worker IPs for github-bot Instead of keeping the list of whitelisted Jenkins worker IPs up-to-date manually, it would be ideal to automate that with a python script instead. Refs: https://github.com/nodejs/build/pull/985#issuecomment-346921173 PR-URL: https://github.com/nodejs/build/pull/985 --- ansible/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/README.md b/ansible/README.md index 1f68fee1b..ab325ac2e 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -197,6 +197,8 @@ Unsorted stuff of things we need to do/think about - [ ] add explicit ARCH and DESTCPU for release machines (RV: I'm adding "arm64" manually for both to force the right thing, from memory I've needed to do this on x86 and x64, best be explicit to be sure) +- [ ] github-bot: automate list of whitelisted Jenkins worker IPs with + python [callback]: plugins/inventory/nodejs_yaml.py