1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
[[!meta title="Planning meeting (iteration 29)"]]
[[!tag meeting]]
[[!meta date="2018-09-11 10:14"]]
[[!meta author="liw"]]
People
=============================================================================
* [[people/liw]]
* [[people/dsilvers]]
* Ivan
Agenda
=============================================================================
* Discuss and decide goals for this iteration.
Notes
=============================================================================
* This iteration is about moving ick towards being hostable. The
current roadmap for that is reproduced below, and is on the
[[roadmap]] page as well.
* There are currently to major aspects that need work: isolating users
from each other, and having a friendly web user interface.
* For isolation, we will make each "resource" in the ick API be owned
by a user, and for that we will need to change API use to rely on
access tokens that identify the user. This means moving form the
OAuth2 client credential authentication to OpenID Connect, extended
with "API tokens".
* For the web user interface, Ivan and Daniel have agreed to
collaborate. Lars will stay out of it, since he's not a front-end
developer. The current plan is to use React, and to build the static
JS files in a container, using npm, and deploying the generated
files to a server.
Roadmap for hostable ick
=============================================================================
@startroadmap
hosted_demo:
label: |
Lars run a hosted
demo service for
himself and users
depends:
- user_friendly
- secure_from_users
- secure_for_users
- on_demand_workers
- trigger_service
- multiarch
user_friendly:
label: |
Ick is reasonably
user friendly to
techies.
depends:
- webui
- self_registration
multiarch:
label: |
Ick supports building
for multiple
architecturs.
depends:
- worker_tags
- concurrency
secure_from_users:
label: |
Ick is safe and
secure from users
doing silly things.
depends:
- networkless_containers
secure_for_users:
label: |
Ick is secure for
users to use.
depends:
- isolation
- secrets
secrets:
label: |
Ick provides a way to
securely use secrets:
ssh keys, pgp keys,
Qvisqve access
tokens.
depends:
- owned_resources
networkless_containers:
label: |
Containers have, by
default, no network
access. Trusted users
can allow specific
builds to have
network access in
containers.
depends:
- owned_resources
concurrency:
label: |
Ick can execute
several actions in
the same build
concurrently.
depends:
- worker_tags
worker_tags:
label: |
Ick allows projects
and workers to have
tags, and can choose
which worker to give
an action to, based
on tags
on_demand_workers:
label: |
Ick can create
and destroy
workers on demand
depends:
- worker_tags
trigger_service:
label: |
Ick can trigger
multiple builds when
a git repo changes,
or when an ick build
finishes, or after
some time has psssed
isolation:
label: |
Users can only see,
manipulate their own
data
depends:
- owned_resources
owned_resources:
label: |
Each resource is
owned by its creator
self_registration:
label: |
Users can create
an account by themselves
via a web browser
depends:
- webui
webui:
label: |
Ick has a web UI
that allows creation,
updating, triggering
of projects, builds,
viewing status, logs
@endroadmap
Roadmap for this iteration
=============================================================================
@startroadmap
owned_resources:
label: |
Each resource is
owned by its creator
depends:
- API_token_spec
API_token_spec:
label: |
Have a spec for how
API tokens work.
webui:
label: |
Ick has a web UI
that allows creation,
updating, triggering
of projects, builds,
viewing status, logs
depends:
- ui_hello
- ui_cd
ui_hello:
label: |
Write a React 'hello, world'
application.
ui_server:
label: |
Set up server where
the web UI is hosted.
ui_cd:
label: |
Set up ick job to build
web UI and deploy it to
a server.
depends:
- ui_server
@endroadmap
Tasks for this week
=============================================================================
Tasks may be part of a project or be random small ones (max an hour)
that just need doing.
[[!table data="""
what | Who | estimate(h)
Draft spec for API tokens in Qvisqve | Lars | 1
Draft spec for variable expansion in .ick files | Lars | 1
Set up a server to host ick web UI | Lars | 1
Prepare React App framework repository and populate with Hello World app | Ivan | 4
Verify independent ability to build and run webapp | Daniel | 2
Total | Lars | 3
Total | Daniel | 2
Total | Ivan | 4
"""]]
Task descriptions
------------------------------------------------------------------------------
* **Draft spec for API tokens in Qvisqve:** Draft a specification for
how API tokens would work in Qvisqve, and how they would be used by
icktool. Offer draft for review.
_Acceptance criteria:_ At least one person says +1 and nobody has
serious objections.
* **Draft spec for variable expansion in .ick files:** To let users
reduce repetition in .ick files, and to shorten them, it would be
nice to be able to use variables. Draft a specification for how that
would work, with examples. Probably based on the [Mustache][]
specification.
[Mustache]: https://mustache.github.io/mustache.5.html
_Acceptance criteria:_ At least one person says +1 and nobody has
serious objections.
* **Set up a server to host ick web UI:** Set up a VM, domain name,
and TLS certificate to serve the static files generated from the ick
web UI. Later on, this will also host the ick UI facade application
(which will be necessary to do logins securely). The demo ick
workers, and Daniel, and Ivan, should have ssh logins and
passwordless sudo access on the host.
_Acceptance criteria:_ Daniel and Ivan accept the server setup and
confirm they can log in and become root with sudo.
* **Prepare React App framework repository and populate with Hello
World app:** The application should say "hello, world" (or some
similar greeting), and use the React machinery to do so: npm to
install dependencies, whatever the React build command is chosen to
do the build.
_Acceptance criteria:_ Ivan says OK.
* **Verify independent ability to build and run webapp:** Review the
work by Ivan to make sure the application can be built and run by
someone else than Ivan. This is a necessary step to automate build
and deployment.
_Acceptance criteria:_ Daniel says OK.
|
