Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Incubation Engineering / 18 Mar 2022
GitLab / Incubation Engineering / 18 Mar 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Incubation Engineering DevOps for Mobile Apps -- Weekly Update March 18th, 2022

Description

https://gitlab.com/gitlab-org/incubation-engineering/devops-for-mobile-apps/readme/-/issues/60

A

Hey everyone today is march 18th 2022.. This is the devops for mobile apps update, I'm gonna go ahead and share my screen and we can uh jump into the demo.

A

So um on my screen here, I've got the update issue, so this will be linked in the video description on youtube, so you can get to all the links from there.

A

The first section here is just talking about the sync update experiment, I'm going to have these here and the times and the links for all of these past and future, and then I'll update the link issue here too, after this recording.

A

So the main focus for devops for mobile apps this week has been kind of two different things. The one is finishing the secure files mvc. uh So I have an issue here that I'll walk through in a second um and then the uh the second part is the fastlane integration, so um so I'll start off with the mvc.

A

This is the issue here that I'm tracking kind of all the tasks that are associated with getting this first version of secure files released to gitlab.com in case uh to set some context. I guess the secure files feature is a feature that we've built into gitlab that allows for the upload of binary files to to be used as kind of ci variables.

A

So what this will allow you to do in the case of mobile is to upload your provisioning profiles and signing certificates to gitlab in a secure way and then be able to pull those into your ci jobs. So you can build your your test flight releases, your app store releases using those certificates.

A

um So basically, what we've got here is a bunch of tasks that I'm working through most of these are started, except for the feature flag rollout for obvious reasons, because we're not quite to that stage yet, but we made a lot of progress this week.

A

The uh the infrastructure is still in progress, so we're getting that there, hopefully we'll be able to test this on staging pretty soon, um but we did go through an appsec review of the api and had some good feedback. Everything looks good though, but there's some a couple: follow-up tasks that that I picked up from that and let's see the other other changes.

A

That kind of went in this week are a change to clean up clean up, secure files when when projects are destroyed, so this was just um just kind of a cleanup task that we needed to do um and then uh the let's see, um oh there's, adding some limits so kind of a limit to the number of files that can be uploaded to a project. We're doing this to prevent any kind of abuse that might happen to the api.

A

So right now, projects are just limited to 100 files and we'll we'll roll that out and then see see kind of what the right calibration is for that down the road and then the the last feature here that I wanted to chat about is um adding a checksum to the uploaded file that can be used to verify. The file that was received is correct, so this this was actually uh some feedback that came out of the appsec review, which I thought was a really a really nice addition to the feature.

A

So basically, what this will do is when you're uploading a file to secure files. You can provide a 256 check sum of that file along with the payload and then when we go to process that, on our back end, we'll check that to make sure that everything verifies correctly. So that would prevent any sort of um interception uh attacks or anything like that. So um uh and then, if that value isn't provided, then we just don't check it. So it's an optional uh feature, but a nice additional uh security check there.

A

So um so that is in an mr review right now and we'll hopefully get that merged in early next week. So then kind of moving on to the fast lane integration. I touched on this a little bit last week and I've got a kind of working demo that I'll show here.

A

But essentially what fastlane is is a it's a open source tool chain for mobile developer mobile developers to make the whole process of building mobile, apps kind of easier and more repeatable and- and it is, uh is a nice tool to integrate with ci systems, and so one of the components of that is a tool called match. And what what match does is it?

A

It makes the code signing process easier by making the management of provisioning profiles and secure certificates um easier, and this is the there's a lot of complexity around this, and um so so match is a is a great tool to to simplify that match uses some different backends, and so I kind of talked about this last week too.

A

But you can use git, you can use google cloud, you can use aws and then what I'm working on is a gitlab secure files back-end for this, and so when you write your match file, I've got an example here. Basically, you set your storage mode and your gitlab project, and then the type is either like development or app store, like whichever type of certificates you're building locally.

A

And then you can run match and it will either generate those certificates um or it will pull down the ones that are already stored in your back end, and so this can be used for for teams trying to distribute certificates and keep those consistent, but it also is. um It also also is used in ci.

A

So when you're setting up your ci, build, you'll you'll run gitlab or fastlane match to pull down those certificates from gitlab, so this, uh hopefully this will make more sense when I, when I show you how this works, but um basically what I've got here is. um I have a project.

A

I've been building locally and I've configured fastlane to talk to my local get lab instance, and I've got my project here with um there's no secure files right now, um and then I've also got the tab open here into my apple developer portal, which shows that now the certificates have been generated. Yet what I'm going to do over here in my terminal is I'm just going to run uh bundle?

A

Let me put this down so actually.

A

Fastlane match and what this command will do is it will look at the project. It will look at gitlab and it will look at the apple developer portal and see that we don't have any certificates generated and it will go and generate the whole thing for us and upload it. So this will take just a little bit to run and it has a bunch of output along the way. But it's basically saying what it's going to do here and kind of how it's configured.

A

And there we go and uh it does have like I have logged into the developer portal through fastline, so it has my like login saved. um If I hadn't been logged in it would prompt me for my, uh like account and password all right cool. So I think that is done. So it says all keys certificates and provision profiles are installed.

A

So now, if I go over here I'll see that it's generated a development certificate and a provisioning profile for the development. And then, if I go over here.

A

This is going to show these five files and what these files are is. um These two are kind of just uh meta files that that go along with fastline, so there's this is just telling me what version of match is running and then match uses that internally and then they include a readme too.

A

But the main things that are important here is this: is the mobile provisioning profile and then it generated a private key and then a signing cert here.

A

So these these are the files that I would use in my build process um and I can use that locally or in in ci, and so this is for development, and so, if I were to do see, if I were to change my type here to app store um and then run this again now, it's going to go and do the the distribution certificates, and so that would be for uh actually pushing to the app store all right and that completed successfully.

A

um And then, if we go back in here, we'll see another provisioning profile for the app store, as well as the uh the distribution certificate here, and then we've got these files. That will also show up in here there we go, so we've got the distribution certificate, the private key and the provisioning profile.

A

uh Yes, reid. You have a question.

B

Yeah uh thanks, uh so I missed a lot of these videos, so I might be missing context or you might have.

A

Answered this.

B

Before one of the previous videos yeah, how are these secure files linked to uh different environments in terms of in terms of gate, branches or the environments that we have within the project?.

A

um Let's see so so you're saying like how are these related to either like development branches or actual like release environments as part of gitlab?

A

um So there's there isn't any type of association yet for that that, uh like those type of relationships um really like what uh the way the secure files acts right now is just kind of a that's like a small repository um and they can be used through um kind of whatever ci configuration. You want to run to pull into the different environments so, um like I guess the example would be. If you were.

A

If you wanted to use these with fastlane, for example, you would you would tell fastlane which, um which type of certificates to use for the build that you're trying to run. So, if I were, I don't have a good example of this, but if I were building like a ci script to use these secure files, my one of my steps would be something like um vaseline match.

A

um Sorry, exec wrestling match development and what this should do like if this were in a ci job, this would go and reach out to get lab and pull down the the secure files for the development environment. For that job. Does that make sense.

B

Got it got it so, somewhere at somewhere in gitlab, there is a mapping for the environment, name in this case development, with this particular set of files similar to what we do with project ci bars just.

A

um So there there isn't that relationship today, so that that, like that, would be um configured through the ci scripts. So um fastlane knows about this because of because fastlane understands the the naming convention that it uses.

B

But.

A

If you weren't using fastlane, what you would probably do is- um and this is still kind of a work in progress- you would you'd probably pull down like all your secure files into a folder in your ci job and then select. You know like configure your ci job to use the ones for the different environment that you would have you got it, um but yeah like. I could see future iterations of that having some sort of association there yeah.

B

Just uh just a follow-up, so when I'm in my runner context, I'm running a pipeline for a project that has got a certain set of secure files, um how are these files provided to the runner like? How does the runner know they exist? Yeah.

A

That's a good question, so there is a.

A

A kind of temporary uh solution for this um we'll call it a first iteration, um but what this? uh The way that this is set up today is um there's this little ruby script that uh you can set up in your ci job. Using this this one liner here uh and what this does is it basically goes out to get lab grabs all the secure files and then pulls them into your your runner instance um yeah, and so there's no there's no special hooks into runner.

A

Today, that's um one of the follow-up tasks we have actually yeah and um uh where is that at uh yeah uh runner integration, so probably a more proper running runner integration would be would be helpful, um but this is kind of the the quick quick work around to make it functional today.

B

Yeah, no probably this is this ties in with the previous point about making secure files environment specific so that when you run this, it doesn't pull down all the files, because.

A

Some secure files.

B

Are more secure or should be more secure than than the others so uh yeah, but this is cool man this. This is excellent and and the.

A

Use case is so broad.

B

Because it's not just mobile specific, you could use it for a lot of different things. So uh nice.

A

Yeah yeah and that that was that was sort of the idea. Sort of the generalized approach solves the problem for mobile, but then could be used for many other uh the context and and really um the idea behind the sort of mvc release of this is like: let's, let's get it out there and get some feedback from people and get like feedback just like that, like you're describing like how do we associate these two environments or or like? How do we protect these in different ways?

A

um I think there's probably like some sort of hierarchy to that, but.

B

No I'd love to see the ui that you uh is there, so how do I upload a secure file, or how does that happen? Is that just an api right now or.

A

Yeah, so the the first iteration of this was really just an api interface, um and so there is uh in this issue here there is a section on the docs, so I added this the api docs here. So there is a full. You know sort of write up on how to interact with secure files today, and that's mostly done through the api.

A

This view, right here is, is just a single like read-only view that I I created just to have something to start with um this isn't really intended for um for, like a broad release, I think um before we would release this ui. I would want to have the ability to at least upload files directly here um and then, like you know, maybe delete, maybe not.

B

Like who, who wants to upload files through a browser- I don't know, but this is cool, so does this uh so in terms of navigation? Is this secure files under ci cd.

A

uh It's not hooked into the navigation right now, either. Okay, so it's it's, like you know, sort of feature flagged off in that way, um because it's just sort of hidden but um but yeah. I think this would like the in the sketches that I had it was. It was maybe, I think, under ci cd, like adding a new tab in here for secure files.

B

So yeah, because that's where we okay for variables right now, you have to go into settings and you have to that's not ideal in my opinion, but okay.

A

Yeah, I think I think putting it in here would would would really kind of scope the context a little bit so like. Oh these, these are for ci cd they're, not secure files for package registries or or security scanners, or other things like that right, like maybe they could be used that way but like this is what they're intended for so yeah.

B

Right so if I upload readme.md again that's going to overwrite the existing file and the previous version is lost forever.

A

So what um what what I'm intending to do with this is to actually like right now. We don't have a validation for this, but I'm going to add it. So uh files have to have a unique name, and if you try to upload a file with the same name, uh it will give you an error. So if you, if you try to upload readmemd again, it would reject it. So we already have a file in this project with that name: okay, either either delete that file or change the name.

A

So you have to do an explicit action to overwrite something instead of accidentally doing it.

B

Yeah yeah, so I could always just delete it. Yeah.

A

Exactly.

B

Makes sense lovely thank you.

A

uh My next steps here are to continue on the mvc rollout um and get to staging and get lab.com.

A

I'm the the fastlane integration is a work in progress, but I'm hoping to have a pull request into the fastline project coming up this week and start working through the uh the process of getting that change merged in and then uh the upload checksums. I'm also working on that and I've got an mrn progress for that. So that is what we've got for this week.