On-demand Source Control (or Source Control-as-a-Service)

This feature provides simple on-demand git repositories, tenant-aware, and ssh accessible.

Note: We do not rely on gerrit or any other review system for now. We just provide git access to be able to host source code within Solum.

Use-case:

• A user creates an application (solum app create) and specify in the plan file that he needs the creation of a git repository associated with this application.
• Solum creates the git repository as a bare repository and return the url to the user
• When the user creates an assembly associated with the plan, Solum add a hook to the repository associated with the trigger_url generated
• The user either clones the repository or add it as a remote to an existing repository
• When the user pushes code to the git repo, it triggers solum workflow

Implementation details:

• Solum should rely on a tool like gitolite to provide git hosting.
• It should also be coupled with OpenStack keypairs, so that a a keypair associated with an OpenStack tenant could be used for accessing a git repository createad by Solum.
• Repositories would be hosted on a dedicated VM or a dedicated container spawned by Nova

First implementation:

I would like to have a first simple implementation of this feature an then iterate on this.

• Spawn a VM (or a Docker container) with Gitolite installed on it (Maybe create an pre-built image like Trove is doing)
• Create all git repositories on this vm (from the use-case)
• Use a nova-keypair of the user as the ssh key for the git user

Further investigations:

(taken from the launchpad whiteboard by kraman)

In order to implement the above use-case following questions need to be answered:

1. What is the notion of a 'registered user'? Keystone provides abstraction of a tenant/project. How do we tie Keystone's tenant/project with a 'registered user'? Are they the same?

2. How to enable 'git push' access to registered users? Git supports https (username/password) or ssh (public/private keys) based access.

• One possible approach for supporting ssh-based access would be to provide a API for users to upload their public key as part of registration step. As part of this step we also create a user account on the Git server for that user and set it up for ssh access.
  • Would https://github.com/stackforge/barbican be the service to store user keys?
  • Could we use nova's "nova keypair-add" functionality for this?
• What are other possible approaches to set this up?

3. How should we provision Git server(s)?

• Is it a set of load-balanced servers for all Solum users?
• Do we have one Git server per user?
  • One advantage of this approach:
    • We could use "nova keypair-add" functionality to provision ssh access to the user-specific Git server
  • A disadvantage is that scalability might be an issue
• Could we use Docker containers for each user's Git server?
  • What are security implications of this design?

4. What are the mechanisms for getting the code from a Git repo to other parts of the Solum system?

• One option is to use post-receive-hook that sends a tar/zip of the repository via a POST call to the Solum API server.
• What are other options?

Additional Questions/Considerations:

1. How do we support a use case of allowing multiple users (developers on a team, for example) pushing to the same git repository in Solum (will be needed for collaborative work).
2. How do we support different levels of accesses to different users (some have read, some have read and write).
3. How do we support RBAC for code access (certain roles may only have read access certain roles may have read and write access).

Following might be useful in developing above capabilities:

[1] http://dl.acm.org/citation.cfm?id=1998460

[2] https://github.com/sitaramc/gitolite/