Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
StopDesign2019-07-21 20:30:33
Continuous Integration
StopDesign, 2019-07-21 20:30:33

How to set up a deployment in Gitlab CI so that the developer does not get access to the host?

I want to set up build, test and deploy via GitLab.
The conditional scheme of the pipeline looks something like this:
5d349e7ed5974149645092.png
The deploy_staging task is launched automatically.
The deploy_prod task can only be run by certain users.
Hashicorp Vault is used to store and transfer secrets/settings to the pipeline and to the server.
And I can't figure out how to protect the host from being accessed by any developer who might be committing one of the branches.
The only way that came to mind is to manually transfer some special key to the environment every time you start the pipeline, which only a person with rights to access the production server knows. And I'm not sure that this key cannot be peeped in the logs.
In systems where the deployment config is hidden from the developer, you can set some conditions that allow deployment to production under certain conditions (branch name, name of the deployment initiator). In GitLab, all parameters fall into environment variables, they can be displayed in the logs, view, copy all the tokens and certificates for yourself.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
S
SlavikF, 2019-07-22
@SlavikF

Yes, I remember somehow puzzling over this, but in the end it turned out that there is some option that the developer can access the production server.
Then I solved it by the fact that the main project had access only to staging, and for the sale there was a fork of this project with its own runner.
But after that, Gitlab added a few features, so maybe now there is another option.
Today I think it's possible to:
- have 2 runners: one for staging, one for production
- runner for production set permission to run only on `master`
- the developer does not have privileges to access `master`.
This implies that staging and production are different servers.

Similar questions
T
totsamiynixon2021-05-30 22:46:57
How to write correct Unit/Integration tests? 2Reply
S
stanlee2015-08-14 17:19:47
What is the best continuous integration system to use for a PHP project now? 3Reply
I
Ilya2015-09-07 09:24:29
Which tool to choose for C++ integration tests? 0Reply
A
Anatoly Soldatov2020-03-04 15:01:22
Explain on your fingers how to prepare CI using GitLab, GitLab runner, docker, php? 1Reply
D
Dmitry2017-12-01 18:12:41
Why isn't Jenkins merging a commit? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question