vinyldns/MAINTAINERS.md

# Maintainers

## Table of Contents
* [Docker Content Trust](#docker-content-trust)
* [Sonatype Credentials](#sonatype-credentials)
* [Release Process](#release-process)

## Docker Content Trust

Official VinylDNS Docker images are signed when being pushed to Docker Hub. Docs for Docker Content Trust can be found 
at https://docs.docker.com/engine/security/trust/content_trust/.

Content trust is enabled through the `DOCKER_CONTENT_TRUST` environment variable, which must be set to 1. It is recommended that 
in your `~/.bashrc`, you have `export DOCKER_CONTENT_TRUST=1` by default, and if you ever want to turn it off for a 
Docker command, add the `--disable-content-trust` flag to the command, e.g. `docker pull --disable-content-trust ...`.

There are multiple Docker repositories on Docker Hub under 
the [vinyldns organization](https://hub.docker.com/u/vinyldns/dashboard/). Namely: 

* vinyldns/api: images for vinyldns core api engine 
* vinyldns/portal: images for vinyldns web client

The offline root key and repository keys are managed by the core maintainer team. The keys managed are:

* root key: also known as the offline key, used to create the separate repository signing keys
* api key: used to sign tagged images in vinyldns/api
* portal key: used to sign tagged images in vinyldns/portal

These keys are named in a <hash>.key format, e.g. 5526ecd15bd413e08718e66c440d17a28968d5cd2922b59a17510da802ca6572.key,
do not change the names of the keys. 

Docker expects these keys to be saved in `~/.docker/trust/private`. Each key is encrypted with a passphrase, that you 
must have available when pushing an image.


## Sonatype Credentials

The core module is pushed to oss.sonatype.org under io.vinyldns

To be able to push to sonatype you will need the pgp key used to sign the module. We use a [blackbox](https://github.com/StackExchange/blackbox/)
repo to share this key and its corresponding passphrase. Follow these steps to set it up properly on your local

1. Ensure you have a gpg key setup on your machine by running `gpg -K`, if you do not then run `gpg --gen-key` to create one,
note you will have to generate a strong passphrase and save it in some password manager
1. Make sure you have blackbox, on mac this would be `brew install blackbox`
1. Clone our blackbox repo, get the git url from another maintainer
1. Run `blackbox_addadmin <the email associated with your gpg key>`
1. Commit your changes to the blackbox repo and push to master
1. Have an existing admin pull the repo and run `gpg --keyring keyrings/live/pubring.kbx --export | gpg --import`, and `blackbox_update_all_files`
1. Have the existing admin commit and push those changes to master
1. Back to you - pull the changes, and now you should be able to read those files
1. Run `blackbox_edit_start vinyldns-sonatype-key.asc.gpg` to temporarily decrypt the sonatype signing key
1. Run `gpg --import vinyldns-sonatype-key.asc` to import the sonatype signing key to your keyring
1. Run `blackbox_edit_end vinyldns-sonatype-key.asc.gpg` to re-encrypt the sonatype signing key
1. Run `blackbox_cat vinyldns-sonatype.txt.gpg` to view the passphrase for that key - you will need this passphrase handy when releasing
1. Create a file `~/.sbt/1.0/vinyldns-gpg-credentials` with the content

    ```
    realm=GnuPG Key ID
    host=gpg
    user=vinyldns@gmail.com
    password=ignored-must-use-pinentry
    ```

1. Add credential configuration to global sbt setting in `~/.sbt/1.0/credential.sbt` with the content

    ```
    credentials += Credentials(Path.userHome / ".sbt" / "1.0" / "vinyldns-gpg-credentials")
    ```

## Release Process

We are using sbt-release to run our release steps and auto-bump the version in `version.sbt`. The `build/release.sh`
script will first run functional tests, then kick off `sbt release`, which also runs unit and integration tests before
running the release

1. Follow [Docker Content Trust](#docker-content-trust) to setup a notary delegation for yourself
1. Follow [Sonatype Credentials](#sonatype-credentials) to setup the sonatype pgp signing key on your local
1. Make sure you're logged in to Docker with `docker login`
1. Run `build/release.sh`
1. You will be asked to confirm the version which originally comes from `version.sbt`. _NOTE: if the version ends with 
`SNAPSHOT`, then the docker latest tag won't be applied and the core module will only be published to the sonatype
staging repo._
1. When it comes to the sonatype stage, you will need the passphrase handy for the signing key, [Sonatype Credentials](#sonatype-credentials)
1. Assuming things were successful, make a pr since sbt release auto-bumped `version.sbt` and made a commit for you
1. Run `./build/docker-release.sh --branch [TAG CREATED FROM PREVIOUS STEP, e.g. v0.9.3] --clean --push`
1. You will need to have your keys ready so you can sign each image as it is published.
vinyldns start docker publish process (#63) * start signed docker push process, manual for now * make quickstart guide in README, make MAINTAINTERS.md * fix error in comments in bin/docker-up-vinyldns.sh * change api and portal image tags to 0.8.0 in docker/docker-compose-build.yml 2018-08-07 11:26:43 -04:00			`# Maintainers`

			`## Table of Contents`
sbt release process (#75) * bin/release.sh script to check for required env variables, run tests, then run `sbt release` * MAINTAINERS.md that describes steps needed to release * implemented sbt release to run our release to docker and sonatype 2018-09-06 14:44:17 -04:00			`* [Docker Content Trust](#docker-content-trust)`
			`* [Sonatype Credentials](#sonatype-credentials)`
			`* [Release Process](#release-process)`

			`## Docker Content Trust`
vinyldns start docker publish process (#63) * start signed docker push process, manual for now * make quickstart guide in README, make MAINTAINTERS.md * fix error in comments in bin/docker-up-vinyldns.sh * change api and portal image tags to 0.8.0 in docker/docker-compose-build.yml 2018-08-07 11:26:43 -04:00
			`Official VinylDNS Docker images are signed when being pushed to Docker Hub. Docs for Docker Content Trust can be found`
			`at https://docs.docker.com/engine/security/trust/content_trust/.`

			Content trust is enabled through the `DOCKER_CONTENT_TRUST` environment variable, which must be set to 1. It is recommended that
			in your `~/.bashrc`, you have `export DOCKER_CONTENT_TRUST=1` by default, and if you ever want to turn it off for a
			Docker command, add the `--disable-content-trust` flag to the command, e.g. `docker pull --disable-content-trust ...`.

			`There are multiple Docker repositories on Docker Hub under`
			`the [vinyldns organization](https://hub.docker.com/u/vinyldns/dashboard/). Namely:`

			`* vinyldns/api: images for vinyldns core api engine`
			`* vinyldns/portal: images for vinyldns web client`

			`The offline root key and repository keys are managed by the core maintainer team. The keys managed are:`

			`* root key: also known as the offline key, used to create the separate repository signing keys`
			`* api key: used to sign tagged images in vinyldns/api`
			`* portal key: used to sign tagged images in vinyldns/portal`

			`These keys are named in a <hash>.key format, e.g. 5526ecd15bd413e08718e66c440d17a28968d5cd2922b59a17510da802ca6572.key,`
			`do not change the names of the keys.`

			Docker expects these keys to be saved in `~/.docker/trust/private`. Each key is encrypted with a passphrase, that you
			`must have available when pushing an image.`

sbt release process (#75) * bin/release.sh script to check for required env variables, run tests, then run `sbt release` * MAINTAINERS.md that describes steps needed to release * implemented sbt release to run our release to docker and sonatype 2018-09-06 14:44:17 -04:00
			`## Sonatype Credentials`

			`The core module is pushed to oss.sonatype.org under io.vinyldns`

			`To be able to push to sonatype you will need the pgp key used to sign the module. We use a [blackbox](https://github.com/StackExchange/blackbox/)`
			`repo to share this key and its corresponding passphrase. Follow these steps to set it up properly on your local`

			1. Ensure you have a gpg key setup on your machine by running `gpg -K`, if you do not then run `gpg --gen-key` to create one,
			`note you will have to generate a strong passphrase and save it in some password manager`
			1. Make sure you have blackbox, on mac this would be `brew install blackbox`
			`1. Clone our blackbox repo, get the git url from another maintainer`
			1. Run `blackbox_addadmin <the email associated with your gpg key>`
			`1. Commit your changes to the blackbox repo and push to master`
			1. Have an existing admin pull the repo and run `gpg --keyring keyrings/live/pubring.kbx --export \| gpg --import`, and `blackbox_update_all_files`
			`1. Have the existing admin commit and push those changes to master`
			`1. Back to you - pull the changes, and now you should be able to read those files`
			1. Run `blackbox_edit_start vinyldns-sonatype-key.asc.gpg` to temporarily decrypt the sonatype signing key
			1. Run `gpg --import vinyldns-sonatype-key.asc` to import the sonatype signing key to your keyring
			1. Run `blackbox_edit_end vinyldns-sonatype-key.asc.gpg` to re-encrypt the sonatype signing key
			1. Run `blackbox_cat vinyldns-sonatype.txt.gpg` to view the passphrase for that key - you will need this passphrase handy when releasing
			1. Create a file `~/.sbt/1.0/vinyldns-gpg-credentials` with the content

remove sonatype credential setting and update docs (#306) 2018-12-17 18:24:27 +01:00			```
			`realm=GnuPG Key ID`
			`host=gpg`
			`user=vinyldns@gmail.com`
			`password=ignored-must-use-pinentry`
			```

Update build and release scripts 2021-10-27 14:09:40 -04:00			1. Add credential configuration to global sbt setting in `~/.sbt/1.0/credential.sbt` with the content
remove sonatype credential setting and update docs (#306) 2018-12-17 18:24:27 +01:00
			```
			`credentials += Credentials(Path.userHome / ".sbt" / "1.0" / "vinyldns-gpg-credentials")`
			```
sbt release process (#75) * bin/release.sh script to check for required env variables, run tests, then run `sbt release` * MAINTAINERS.md that describes steps needed to release * implemented sbt release to run our release to docker and sonatype 2018-09-06 14:44:17 -04:00
			`## Release Process`
vinyldns start docker publish process (#63) * start signed docker push process, manual for now * make quickstart guide in README, make MAINTAINTERS.md * fix error in comments in bin/docker-up-vinyldns.sh * change api and portal image tags to 0.8.0 in docker/docker-compose-build.yml 2018-08-07 11:26:43 -04:00
Update build and release scripts 2021-10-27 14:09:40 -04:00			We are using sbt-release to run our release steps and auto-bump the version in `version.sbt`. The `build/release.sh`
sbt release process (#75) * bin/release.sh script to check for required env variables, run tests, then run `sbt release` * MAINTAINERS.md that describes steps needed to release * implemented sbt release to run our release to docker and sonatype 2018-09-06 14:44:17 -04:00			script will first run functional tests, then kick off `sbt release`, which also runs unit and integration tests before
			`running the release`
vinyldns start docker publish process (#63) * start signed docker push process, manual for now * make quickstart guide in README, make MAINTAINTERS.md * fix error in comments in bin/docker-up-vinyldns.sh * change api and portal image tags to 0.8.0 in docker/docker-compose-build.yml 2018-08-07 11:26:43 -04:00
sbt release process (#75) * bin/release.sh script to check for required env variables, run tests, then run `sbt release` * MAINTAINERS.md that describes steps needed to release * implemented sbt release to run our release to docker and sonatype 2018-09-06 14:44:17 -04:00			`1. Follow [Docker Content Trust](#docker-content-trust) to setup a notary delegation for yourself`
			`1. Follow [Sonatype Credentials](#sonatype-credentials) to setup the sonatype pgp signing key on your local`
			1. Make sure you're logged in to Docker with `docker login`
Update build and release scripts 2021-10-27 14:09:40 -04:00			1. Run `build/release.sh`
sbt release process (#75) * bin/release.sh script to check for required env variables, run tests, then run `sbt release` * MAINTAINERS.md that describes steps needed to release * implemented sbt release to run our release to docker and sonatype 2018-09-06 14:44:17 -04:00			1. You will be asked to confirm the version which originally comes from `version.sbt`. _NOTE: if the version ends with
			`SNAPSHOT`, then the docker latest tag won't be applied and the core module will only be published to the sonatype
Updates - Remove old, unused scripts in `bin/` - Remove old images from release - `test` and `test-bind` are no longer necessary. Test images are in a different repo now - Remove Docker image creation from sbt build config - actual `Dockerfile` files are easier to deal with - Update scripts in `bin/` to utilize new Docker images - Update documentation for changes - Update all Docker Compose and configuration to use exposed ports on the `integration` image (19001, 19002, etc) both inside the container and outside to make testing more consistent irrespective of method - Update FlywayDB dependency to v8 to fix a weird logging bug that showed up during integration testing. See: https://github.com/flyway/flyway/issues/2270 - Add `test/api/integration` Docker container definition to be used for any integration testing - Move `module/api/functional_test` to `test/api/functional` to centralize the "integration-type" external tests and testing utilities - Move functional testing and integration image to the `test/` folder off of the root to reduce confusion with `bin/` and `docker/` 2021-10-15 15:06:04 -04:00			`staging repo._`
sbt release process (#75) * bin/release.sh script to check for required env variables, run tests, then run `sbt release` * MAINTAINERS.md that describes steps needed to release * implemented sbt release to run our release to docker and sonatype 2018-09-06 14:44:17 -04:00			`1. When it comes to the sonatype stage, you will need the passphrase handy for the signing key, [Sonatype Credentials](#sonatype-credentials)`
			1. Assuming things were successful, make a pr since sbt release auto-bumped `version.sbt` and made a commit for you
Update Release (#890) Updated release process: - `bin/release.sh` - added checks so we can only release from master, and can only release from upstream - `build.sbt` - removed sbt publishing of docker images, we will now use `build/docker-release.sh` for that release - `build/release.sh` -- renamed --> `build/docker-release.sh` - `build/docker-release.sh` - added a version override to make it simple to force a version 2019-10-30 07:04:11 -04:00			1. Run `./build/docker-release.sh --branch [TAG CREATED FROM PREVIOUS STEP, e.g. v0.9.3] --clean --push`
			`1. You will need to have your keys ready so you can sign each image as it is published.`