From 7d1a297e4b3cf3db6e2ced064d914735442d1aac Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 11 Apr 2014 13:49:31 -0700
Subject: [PATCH] Make jenkins proposal jobs use dedicated user.

Switch all jenkins proposal jobs to a dedicated user with dedicated
credentials. This is being done to be more flexible and secure when it
comes to managing the scripts that make proposals to gerrit.

Change-Id: I2dbdd530bf5b64c14207f645512a1eb319681166
---
 manifests/site.pp                                   |  9 +++++----
 modules/jenkins/files/slave_scripts/merge_tags.sh   |  6 +++---
 .../slave_scripts/propose_requirements_update.sh    |  6 +++---
 .../slave_scripts/propose_translation_update.sh     |  6 +++---
 .../propose_translation_update_manuals.sh           |  6 +++---
 .../openstack_project/manifests/proposal_slave.pp   | 13 +++++++++++--
 6 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 773f4e34d3..611f1fe7a1 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -551,10 +551,11 @@ node 'mirror33.slave.openstack.org' {
 node 'proposal.slave.openstack.org' {
   include openstack_project
   class { 'openstack_project::proposal_slave':
-    transifex_username      => 'openstackjenkins',
-    transifex_password      => hiera('transifex_password'),
-    jenkins_ssh_public_key  => $openstack_project::jenkins_ssh_key,
-    jenkins_ssh_private_key => hiera('jenkins_ssh_private_key_contents'),
+    transifex_username       => 'openstackjenkins',
+    transifex_password       => hiera('transifex_password'),
+    jenkins_ssh_public_key   => $openstack_project::jenkins_ssh_key,
+    proposal_ssh_public_key  => hiera('proposal_ssh_public_key_contents'),
+    proposal_ssh_private_key => hiera('proposal_ssh_private_key_contents'),
   }
 }
 
diff --git a/modules/jenkins/files/slave_scripts/merge_tags.sh b/modules/jenkins/files/slave_scripts/merge_tags.sh
index 1c492dd89d..47f6dd9dc0 100755
--- a/modules/jenkins/files/slave_scripts/merge_tags.sh
+++ b/modules/jenkins/files/slave_scripts/merge_tags.sh
@@ -16,9 +16,9 @@ TAG=$1
 
 if $(git tag --contains origin/milestone-proposed | grep "^$TAG$" >/dev/null)
 then
-    git config user.name "OpenStack Jenkins"
-    git config user.email "jenkins@openstack.org"
-    git config gitreview.username "jenkins"
+    git config user.name "OpenStack Proposal Bot"
+    git config user.email "openstack-infra@lists.openstack.org"
+    git config gitreview.username "proposal-bot"
 
     git review -s
     git checkout master
diff --git a/modules/jenkins/files/slave_scripts/propose_requirements_update.sh b/modules/jenkins/files/slave_scripts/propose_requirements_update.sh
index c7486eb0c4..5a29325470 100755
--- a/modules/jenkins/files/slave_scripts/propose_requirements_update.sh
+++ b/modules/jenkins/files/slave_scripts/propose_requirements_update.sh
@@ -23,9 +23,9 @@ if [ -z "$BRANCH" ] ; then
     exit 1
 fi
 
-git config user.name "OpenStack Jenkins"
-git config user.email "jenkins@openstack.org"
-git config gitreview.username $USERNAME
+git config user.name "OpenStack Proposal Bot"
+git config user.email "openstack-infra@lists.openstack.org"
+git config gitreview.username "proposal-bot"
 
 for PROJECT in $(cat projects.txt); do
 
diff --git a/modules/jenkins/files/slave_scripts/propose_translation_update.sh b/modules/jenkins/files/slave_scripts/propose_translation_update.sh
index 32b026d068..ce4e7683fc 100755
--- a/modules/jenkins/files/slave_scripts/propose_translation_update.sh
+++ b/modules/jenkins/files/slave_scripts/propose_translation_update.sh
@@ -16,9 +16,9 @@ ORG=$1
 PROJECT=$2
 COMMIT_MSG="Imported Translations from Transifex"
 
-git config user.name "OpenStack Jenkins"
-git config user.email "jenkins@openstack.org"
-git config gitreview.username "jenkins"
+git config user.name "OpenStack Proposal Bot"
+git config user.email "openstack-infra@lists.openstack.org"
+git config gitreview.username "proposal-bot"
 
 git review -s
 
diff --git a/modules/jenkins/files/slave_scripts/propose_translation_update_manuals.sh b/modules/jenkins/files/slave_scripts/propose_translation_update_manuals.sh
index 6f60f0793b..cc422ad296 100755
--- a/modules/jenkins/files/slave_scripts/propose_translation_update_manuals.sh
+++ b/modules/jenkins/files/slave_scripts/propose_translation_update_manuals.sh
@@ -26,9 +26,9 @@ fi
 
 COMMIT_MSG="Imported Translations from Transifex"
 
-git config user.name "OpenStack Jenkins"
-git config user.email "jenkins@openstack.org"
-git config gitreview.username "jenkins"
+git config user.name "OpenStack Proposal Bot"
+git config user.email "openstack-infra@lists.openstack.org"
+git config gitreview.username "proposal-bot"
 
 git review -s
 
diff --git a/modules/openstack_project/manifests/proposal_slave.pp b/modules/openstack_project/manifests/proposal_slave.pp
index 2153c9297a..d568726e78 100644
--- a/modules/openstack_project/manifests/proposal_slave.pp
+++ b/modules/openstack_project/manifests/proposal_slave.pp
@@ -5,7 +5,8 @@
 #
 class openstack_project::proposal_slave (
   $jenkins_ssh_public_key,
-  $jenkins_ssh_private_key,
+  $proposal_ssh_public_key,
+  $proposal_ssh_private_key,
   $transifex_password = '',
   $transifex_username = 'openstackci',
 ) {
@@ -34,6 +35,14 @@ class openstack_project::proposal_slave (
     group   => 'jenkins',
     mode    => '0400',
     require => File['/home/jenkins/.ssh'],
-    content => $jenkins_ssh_private_key,
+    content => $proposal_ssh_private_key,
+  }
+
+  file { '/home/jenkins/.ssh/id_rsa.pub':
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    mode    => '0400',
+    require => File['/home/jenkins/.ssh'],
+    content => $proposal_ssh_public_key,
   }
 }