ndr_dev_support 6.1.6 → 6.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64a3efbb44c782bd62b06b12a1ccf5a8390173b7cff796141f044df5c79bf6a6
-  data.tar.gz: 7ebfe41c07779cb4a90ad956359827f277bae624a254204b3460a99fa361b37f
+  metadata.gz: 5fe8e3400612fc7c12992a9ed37a1896cc2345ef9d060638776ad5f3f5f2c2e1
+  data.tar.gz: 229b4288c7f789407821bea03feaf6bf0512b5628d51d1a69fd8f8febdcacb6d
 SHA512:
-  metadata.gz: 2ecc17440ed412719ea08f742c3c853401ebf06ba8ab1ec82eb143395f81ed0206ad857e300fbbb284441c248349364db12110a22511401887c007a15491800d
-  data.tar.gz: 2e4c6023991fe8a7bdb685fce3d21eef9aa9baf89b2c491a51a5fbe65d586bf1471103ff0d57212b4fc9f8a51809138f17a482aca3f15c961aa8dd227b215838
+  metadata.gz: 1edfdb2328f91d2fb3707b1f6e1b8b70f48cf4bae5037a1bea01398192a079912d063842bd45a88b748fb6522e6c6b5593336584e7bad3a0e2c91e0ff539fcb5
+  data.tar.gz: 687c9637cc0c9d1dae203b242393f91c44fc7817719fb9e0fbe43bb8ea9b545918ee45850f0f2f2d8186858a72ef807416ef2006fd8cf7f8b2533b5987596c74

data/CHANGELOG.md

@@ -1,6 +1,10 @@
 ## [Unreleased]
 * No unreleased changes
 
+## 6.1.7 / 2022-07-15
+### Added
+* Add `cd:credentials` rake task for continuous deployment of credentials
+
 ## 6.1.6 / 2022-07-01
 ### Added
 * capistrano: use DEPLOYER environment variable for non-interactive deployments

data/lib/ndr_dev_support/daemon/cd_credentials.rb

@@ -0,0 +1,157 @@
+require 'English'
+require_relative 'stoppable'
+require 'ndr_dev_support/slack_message_publisher'
+require 'shellwords'
+require 'with_clean_rbenv'
+
+module NdrDevSupport
+  module Daemon
+    # Wrapper around Capistrano based Continuous Deployment of application credentials
+    #
+    # Assumes there is a capistrano task "app:update_secrets" which can be used together
+    # with a target name, e.g. cap target app:update_secrets
+    # to update a capistrano target with secrets / credentials from one or more repositories.
+    # To use this daemon, a number of environment variables need to be set
+    # including CD_TARGETS and CD_URLS.
+    class CDCredentials
+      include Stoppable
+
+      def self.from_args(env)
+        name = env['WORKER_NAME'].to_s
+        cd_targets = env['CD_TARGETS'].to_s.split
+        cd_urls = env['CD_URLS'].to_s.split
+
+        new(name: name, cd_targets: cd_targets, cd_urls: cd_urls)
+      end
+
+      def initialize(name:, cd_targets:, cd_urls:)
+        super
+
+        # Worker name can be used for clear logging:
+        @name = name
+        raise ArgumentError, 'No WORKER_NAME specified!' if name.blank?
+
+        # Capistrano targets to use for deployments
+        @cd_targets = cd_targets
+        raise ArgumentError, 'No CD_TARGETS specified!' unless cd_targets&.present?
+
+        # URLs to watch for continuous deployment
+        @cd_urls = cd_urls
+        raise ArgumentError, 'No CD_URLS specified!' unless cd_urls&.present?
+      end
+
+      private
+
+      def run_once
+        log('running once...')
+
+        # Keep state, watch repositories for changes, maybe save state to disk?
+        if (revisions = check_for_new_revisions)
+          log("deploying with revisions #{revisions}...")
+          deploy_credentials # should also notify slack if any changes deployed, but not
+        else
+          log('nothing new to deploy')
+        end
+        log('completed single run.')
+      rescue => e
+        log(<<~MSG)
+          Unhandled exception! #{e.class}: #{e.message}
+          #{(e.backtrace || []).join("\n")}
+        MSG
+
+        raise e
+      end
+
+      # Check for new revisions, and cache the latest one.
+      # If there are new revisions in the repositories available since the last check,
+      # return a hash of repo -> latest revision
+      # If no revisions have changed, returns nil
+      def check_for_new_revisions
+        # TODO: implement this, by checking for updates to @cd_urls
+        # Stub implementation, pretends things always changed
+        { 'dummy_repo' => '0' }
+      end
+
+      # Deploy credentials to all targets. Should also notify slack if any changes deployed
+      def deploy_credentials
+        log("Deploying to #{@cd_targets.join(', ')}...")
+        @changed_targets = []
+        @unchanged_targets = []
+        @failed_targets = []
+        @cd_targets.each do |target|
+          deploy_to_target(target)
+        end
+        publish_results
+      end
+
+      # Deploy credentials to a single target.
+      def deploy_to_target(target)
+        WithCleanRbenv.with_clean_rbenv do
+          results = `rbenv exec bundle exec cap #{Shellwords.escape(target)} \
+                       app:update_secrets < /dev/null`.split("\n")
+          puts results
+          if $CHILD_STATUS.exitstatus.zero?
+            if results.include?('No changed secret files to upload')
+              @unchanged_targets << target
+              log("Unchanged target #{target}")
+            elsif results.grep(/^Uploaded [0-9]+ changed secret files: /).any?
+              @changed_targets << target
+              log("Changed target #{target}")
+            else
+              @failed_targets << target
+              log("Unparseable result deploying to target #{target}")
+            end
+          else
+            @failed_targets << target
+            log("Failed to deploy to target #{target}")
+          end
+        end
+      end
+
+      def publish_results
+        slack_publisher = NdrDevSupport::SlackMessagePublisher.new(ENV['SLACK_WEBHOOK_URL'],
+                                                                   username: 'Rake CI',
+                                                                   icon_emoji: ':robot_face:',
+                                                                   channel: ENV['SLACK_CHANNEL'])
+        slack_publisher.post(attachments: attachments)
+      end
+
+      # Status / warning messages for slack notifications
+      def attachments
+        attachments = []
+
+        if @failed_targets.any?
+          attachment = {
+            color: 'danger',
+            title: "#{@failed_targets.count} failed credential updates :rotating_light:",
+            text: "Failed targets: `#{@failed_targets.join(', ')}`",
+            footer: 'bundle exec cap target app:update_secrets',
+            mrkdwn_in: ['text']
+          }
+          attachments << attachment
+          puts attachment.inspect
+        end
+
+        if @changed_targets.any?
+          text = "Changed targets: `#{@changed_targets.join(', ')}`\n"
+          text << (if @unchanged_targets.any?
+                     "Unchanged targets: `#{@unchanged_targets.join(', ')}`"
+                   else
+                     'No unchanged targets'
+                   end)
+          attachment = {
+            color: 'good',
+            title: "#{@changed_targets.size} successful credential updates",
+            text: text,
+            footer: 'bundle exec cap target app:update_secrets',
+            mrkdwn_in: ['text']
+          }
+          attachments << attachment
+          puts attachment.inspect
+        end
+
+        attachments
+      end
+    end
+  end
+end

data/lib/ndr_dev_support/tasks.rb

@@ -1,5 +1,6 @@
 load 'tasks/audit_code.rake'
 load 'tasks/audit_bundle.rake'
+load 'tasks/cd/credentials.rake'
 load 'tasks/ci/brakeman.rake'
 load 'tasks/ci/bundle_audit.rake'
 load 'tasks/ci/commit_cop.rake'

data/lib/ndr_dev_support/version.rb

@@ -2,5 +2,5 @@
 # This defines the NdrDevSupport version. If you change it, rebuild and commit the gem.
 # Use "rake build" to build the gem, see rake -T for all bundler rake tasks (and our own).
 module NdrDevSupport
-  VERSION = '6.1.6'
+  VERSION = '6.1.7'
 end

data/lib/tasks/cd/credentials.rake

@@ -0,0 +1,9 @@
+namespace :cd do
+  desc 'Run Capistrano Continuous Deployment credentials server'
+  task :credentials do
+    require 'ndr_dev_support/daemon/cd_credentials'
+
+    worker = NdrDevSupport::Daemon::CDCredentials.from_args(ENV)
+    worker.run
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ndr_dev_support
 version: !ruby/object:Gem::Version
-  version: 6.1.6
+  version: 6.1.7
 platform: ruby
 authors:
 - NCRS Development Team
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-07-01 00:00:00.000000000 Z
+date: 2022-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry
@@ -422,6 +422,7 @@ files:
 - lib/ndr_dev_support/capistrano/standalone_gems.rb
 - lib/ndr_dev_support/capistrano/svn_cache.rb
 - lib/ndr_dev_support/capistrano/sysadmin_scripts.rb
+- lib/ndr_dev_support/daemon/cd_credentials.rb
 - lib/ndr_dev_support/daemon/ci_server.rb
 - lib/ndr_dev_support/daemon/stoppable.rb
 - lib/ndr_dev_support/integration_testing.rb
@@ -452,6 +453,7 @@ files:
 - lib/ndr_dev_support/version.rb
 - lib/tasks/audit_bundle.rake
 - lib/tasks/audit_code.rake
+- lib/tasks/cd/credentials.rake
 - lib/tasks/ci/brakeman.rake
 - lib/tasks/ci/bundle_audit.rake
 - lib/tasks/ci/commit_cop.rake